Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-45047 (GCVE-0-2022-45047)
Vulnerability from cvelistv5 – Published: 2022-11-16 00:00 – Updated: 2024-08-03 14:01
VLAI?
EPSS
Summary
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache MINA SSHD |
Affected:
unspecified , ≤ 2.9.1
(custom)
|
Credits
The Apache MINA SSHD team would like to thank Zhang Zewei, NOFOCUS, for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:01:31.528Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240216-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache MINA SSHD",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.9.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The Apache MINA SSHD team would like to thank Zhang Zewei, NOFOCUS, for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server."
}
],
"metrics": [
{
"other": {
"content": {
"other": "important"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-16T13:06:09.825899",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240216-0008/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache MINA SSHD: Java unsafe deserialization vulnerability",
"workarounds": [
{
"lang": "en",
"value": "For Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser)."
},
{
"lang": "en",
"value": "The issue was fixed in Apache MINA SSHD 2.9.2. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45047",
"datePublished": "2022-11-16T00:00:00",
"dateReserved": "2022-11-08T00:00:00",
"dateUpdated": "2024-08-03T14:01:31.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.9.1\", \"matchCriteriaId\": \"00D0F9FD-039D-4097-979B-9242276B1DD3\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.\"}, {\"lang\": \"es\", \"value\": \"La clase org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider en Apache MINA SSHD anteriore a la versi\\u00f3n 2.9.1 usa la deserializaci\\u00f3n de Java para cargar una java.security.PrivateKey serializada. La clase es una de varias implementaciones que un implementador que usa Apache MINA SSHD puede elegir para cargar las claves de host de un servidor SSH.\"}]",
"id": "CVE-2022-45047",
"lastModified": "2024-11-21T07:28:40.453",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2022-11-16T09:15:14.320",
"references": "[{\"url\": \"https://security.netapp.com/advisory/ntap-20240216-0008/\", \"source\": \"security@apache.org\"}, {\"url\": \"https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html\", \"source\": \"security@apache.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240216-0008/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-45047\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-11-16T09:15:14.320\",\"lastModified\":\"2024-11-21T07:28:40.453\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.\"},{\"lang\":\"es\",\"value\":\"La clase org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider en Apache MINA SSHD anteriore a la versi\u00f3n 2.9.1 usa la deserializaci\u00f3n de Java para cargar una java.security.PrivateKey serializada. La clase es una de varias implementaciones que un implementador que usa Apache MINA SSHD puede elegir para cargar las claves de host de un servidor SSH.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.9.1\",\"matchCriteriaId\":\"00D0F9FD-039D-4097-979B-9242276B1DD3\"}]}]}],\"references\":[{\"url\":\"https://security.netapp.com/advisory/ntap-20240216-0008/\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240216-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
RHSA-2023_1045
Vulnerability from csaf_redhat - Published: 2023-03-01 21:45 - Updated: 2024-12-18 00:38Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1045",
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1045.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9",
"tracking": {
"current_release_date": "2024-12-18T00:38:05+00:00",
"generator": {
"date": "2024-12-18T00:38:05+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1045",
"initial_release_date": "2023-03-01T21:45:17+00:00",
"revision_history": [
{
"date": "2023-03-01T21:45:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:45:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:38:05+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 9",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el9sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el9sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el9sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2025:1747
Vulnerability from csaf_redhat - Published: 2025-02-24 00:08 - Updated: 2025-12-05 12:21Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.12 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat
JBoss Enterprise Application Platform 7.3.12 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.11, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.12 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* velocity: arbitrary code execution when attacker is able to modify templates [eap-7.3.z] (CVE-2020-13936)
* CXF: Apache CXF: directory listing / code exfiltration [eap-7.3.z] (CVE-2022-46363)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability [eap-7.3.z] (CVE-2022-45047)
* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value [eap-7.3.z] (CVE-2021-44228)
* commons-text: apache-commons-text: variable interpolation RCE [eap-7.3.z] (CVE-2022-42889)
* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) [eap-7.3.z] (CVE-2021-45046)
* org.jboss.hal-hal-parent: minimist: prototype pollution [eap-7.3.z] (CVE-2021-44906)
* jackson-databind: use of deeply nested arrays [eap-7.3.z] (CVE-2022-42004)
* snakeyaml: Constructor Deserialization Remote Code Execution [eap-7.3.z] (CVE-2022-1471)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [eap-7.3.z] (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [eap-7.3.z] (CVE-2022-42003)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos [eap-7.3.z] (CVE-2022-45693)
* h2: Remote Code Execution in Console [eap-7.3.z] (CVE-2021-42392)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat\nJBoss Enterprise Application Platform 7.3.12 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.11, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.12 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* velocity: arbitrary code execution when attacker is able to modify templates [eap-7.3.z] (CVE-2020-13936)\n\n* CXF: Apache CXF: directory listing / code exfiltration [eap-7.3.z] (CVE-2022-46363)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability [eap-7.3.z] (CVE-2022-45047)\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value [eap-7.3.z] (CVE-2021-44228)\n\n* commons-text: apache-commons-text: variable interpolation RCE [eap-7.3.z] (CVE-2022-42889)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) [eap-7.3.z] (CVE-2021-45046)\n\n* org.jboss.hal-hal-parent: minimist: prototype pollution [eap-7.3.z] (CVE-2021-44906)\n\n* jackson-databind: use of deeply nested arrays [eap-7.3.z] (CVE-2022-42004)\n\n* snakeyaml: Constructor Deserialization Remote Code Execution [eap-7.3.z] (CVE-2022-1471)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [eap-7.3.z] (CVE-2022-41881)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [eap-7.3.z] (CVE-2022-42003)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos [eap-7.3.z] (CVE-2022-45693)\n\n* h2: Remote Code Execution in Console [eap-7.3.z] (CVE-2021-42392)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:1747",
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/index"
},
{
"category": "external",
"summary": "1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-28581",
"url": "https://issues.redhat.com/browse/JBEAP-28581"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_1747.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.12 security update",
"tracking": {
"current_release_date": "2025-12-05T12:21:18+00:00",
"generator": {
"date": "2025-12-05T12:21:18+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2025:1747",
"initial_release_date": "2025-02-24T00:08:38+00:00",
"revision_history": [
{
"date": "2025-02-24T00:08:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-02-24T00:08:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-05T12:21:18+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.2.17-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.10.4-4.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"product": {
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"product_id": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-4.Final_redhat_00002.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"product_id": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"product": {
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"product_id": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-2.redhat_00002.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.10.4-4.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.10.4-2.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.10.4-2.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.10.4-2.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product": {
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_id": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.10.4-2.redhat_00004.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"product": {
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"product_id": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.3.12-3.GA_redhat_00002.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy@3.11.6-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.2.17-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.10.4-4.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-4.Final_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty-all@4.1.63-4.Final_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"product_id": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-2.redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.10.4-4.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.10.4-4.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_id": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.10.4-2.redhat_00004.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.3.12-3.GA_redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-atom-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-cdi@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-client@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-client-microprofile@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-crypto@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jackson-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jackson2-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jaxb-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jaxrs@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jettison-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jose-jwt@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jsapi@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-json-binding-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-json-p-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-multipart-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-rxjava2@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-spring@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-validator-provider-11@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-yaml-provider@3.11.6-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src"
},
"product_reference": "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src"
},
"product_reference": "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src"
},
"product_reference": "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src"
},
"product_reference": "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.3-EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13936",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-03-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937440"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "velocity: arbitrary code execution when attacker is able to modify templates",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.\n\n* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.\n\n* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.\n\n* Although velocity shipped in Red Hat Enterprise Linux 8\u0027s pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-13936"
},
{
"category": "external",
"summary": "RHBZ#1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-13936",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "velocity: arbitrary code execution when attacker is able to modify templates"
},
{
"cve": "CVE-2021-42392",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2039403"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in h2. The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. This flaw allows an attacker to use this URL to send another server\u2019s code, causing remote code execution. This issue is exploited through various attack vectors, most notably through the H2 Console, which leads to unauthenticated remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "h2: Remote Code Execution in Console",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In OpenShift Container Platform (OCP) the openshift4/ose-metering-presto container image ships the vulnerable version of h2, but as it uses default configuration the impact by this vulnerability is LOW. Additionally, the Presto component is part of the OCP Metering stack and since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-42392"
},
{
"category": "external",
"summary": "RHBZ#2039403",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2039403"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-42392",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42392"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42392"
},
{
"category": "external",
"summary": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6",
"url": "https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6"
}
],
"release_date": "2022-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "h2: Remote Code Execution in Console"
},
{
"cve": "CVE-2021-44228",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-12-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030932"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "RHBZ#2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/",
"url": "https://www.lunasec.io/docs/blog/log4j-zero-day/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-10T02:01:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "workaround",
"details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2021-12-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Critical"
}
],
"title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"cve": "CVE-2021-45046",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2032580"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-45046"
},
{
"category": "external",
"summary": "RHBZ#2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2021-44228",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4",
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "workaround",
"details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-05-01T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-text: variable interpolation RCE"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:38+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jdk8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-datatype-jsr310-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-base-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-json-provider-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-module-jaxb-annotations-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-netty-all-0:4.1.63-4.Final_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-atom-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-cdi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-client-microprofile-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-crypto-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jackson2-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxb-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jaxrs-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jettison-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jose-jwt-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-jsapi-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-binding-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-json-p-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-multipart-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-rxjava2-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-spring-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-validator-provider-11-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-resteasy-yaml-provider-0:3.11.6-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk11-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-java-jdk8-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-javadocs-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.3-EUS:eap7-wildfly-modules-0:7.3.12-3.GA_redhat_00002.1.el7eap.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
}
]
}
RHSA-2023:1047
Vulnerability from csaf_redhat - Published: 2023-03-01 21:46 - Updated: 2025-12-05 06:19Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update
Notes
Topic
A new image is available for Red Hat Single Sign-On 7.6.2, running on Red
Hat OpenShift Container Platform from the release of 3.11 up to the release
of 4.12.0.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is an integrated sign-on solution, available as a
Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat
Single Sign-On for OpenShift image provides an authentication server that
you can use to log in centrally, log out, and register. You can also manage
user accounts for web applications, mobile applications, and RESTful web
services.
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
This erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use
within the Red Hat OpenShift Container Platform (from the release of 3.11
up to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)
for on-premise or private cloud deployments, aligning with the standalone
product release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A new image is available for Red Hat Single Sign-On 7.6.2, running on Red\nHat OpenShift Container Platform from the release of 3.11 up to the release\nof 4.12.0.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a\nRed Hat JBoss Middleware for OpenShift containerized image. The Red Hat\nSingle Sign-On for OpenShift image provides an authentication server that\nyou can use to log in centrally, log out, and register. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices.\n\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use\nwithin the Red Hat OpenShift Container Platform (from the release of 3.11\nup to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)\nfor on-premise or private cloud deployments, aligning with the standalone\nproduct release.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1047",
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2143416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1047.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update",
"tracking": {
"current_release_date": "2025-12-05T06:19:32+00:00",
"generator": {
"date": "2025-12-05T06:19:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2023:1047",
"initial_release_date": "2023-03-01T21:46:46+00:00",
"revision_history": [
{
"date": "2023-03-01T21:46:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:46:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-05T06:19:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Middleware Containers for OpenShift",
"product": {
"name": "Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"cve": "CVE-2022-3782",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-10-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138971"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: path traversal via double URL encoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3782"
},
{
"category": "external",
"summary": "RHBZ#2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3782"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: path traversal via double URL encoding"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"acknowledgments": [
{
"names": [
"Thibault Guittet"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-4039",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"discovery_date": "2022-11-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143416"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rhsso-container-image: unsecured management interface exposed to adjecent network",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4039"
},
{
"category": "external",
"summary": "RHBZ#2143416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4039",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4039"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4039",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4039"
}
],
"release_date": "2023-02-28T21:26:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rhsso-container-image: unsecured management interface exposed to adjecent network"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.\n\nIn Quay IO 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023:3198
Vulnerability from csaf_redhat - Published: 2023-05-17 17:53 - Updated: 2025-11-21 18:40Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* maven: Block repositories using http by default (CVE-2021-26291)
* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)
* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)
* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)\n\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)\n\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)\n\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n\n* maven: Block repositories using http by default (CVE-2021-26291)\n\n* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)\n\n* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)\n\n* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3198",
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/4.11/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"url": "https://docs.openshift.com/container-platform/4.11/cicd/jenkins/important-changes-to-openshift-jenkins-images.html"
},
{
"category": "external",
"summary": "1955739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739"
},
{
"category": "external",
"summary": "2066479",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479"
},
{
"category": "external",
"summary": "2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2164278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278"
},
{
"category": "external",
"summary": "2170039",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039"
},
{
"category": "external",
"summary": "2170041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041"
},
{
"category": "external",
"summary": "2177632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177632"
},
{
"category": "external",
"summary": "2177634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3198.json"
}
],
"title": "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update",
"tracking": {
"current_release_date": "2025-11-21T18:40:45+00:00",
"generator": {
"date": "2025-11-21T18:40:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:3198",
"initial_release_date": "2023-05-17T17:53:04+00:00",
"revision_history": [
{
"date": "2023-05-17T17:53:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-17T17:53:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:40:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.11::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.387.1.1683009763-3.el8.src",
"product": {
"name": "jenkins-0:2.387.1.1683009763-3.el8.src",
"product_id": "jenkins-0:2.387.1.1683009763-3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.387.1.1683009763-3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.387.1.1683009763-3.el8.noarch",
"product": {
"name": "jenkins-0:2.387.1.1683009763-3.el8.noarch",
"product_id": "jenkins-0:2.387.1.1683009763-3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.387.1.1683009763-3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.387.1.1683009763-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch"
},
"product_reference": "jenkins-0:2.387.1.1683009763-3.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.387.1.1683009763-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
},
"product_reference": "jenkins-0:2.387.1.1683009763-3.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.11"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-26291",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1955739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in maven. Repositories that are defined in a dependency\u2019s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "maven: Block repositories using http by default",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-26291"
},
{
"category": "external",
"summary": "RHBZ#1955739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-26291",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-26291"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291"
},
{
"category": "external",
"summary": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291",
"url": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291"
}
],
"release_date": "2021-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "workaround",
"details": "To avoid possible man-in-the-middle related attacks with this flaw, ensure any linked repositories in maven POMs use https and not http.",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "maven: Block repositories using http by default"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-29599",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066479"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "maven-shared-utils: Command injection via Commandline class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It\u0027s worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29599"
},
{
"category": "external",
"summary": "RHBZ#2066479",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29599"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599"
}
],
"release_date": "2020-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "maven-shared-utils: Command injection via Commandline class"
},
{
"cve": "CVE-2022-30953",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119646"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30953"
},
{
"category": "external",
"summary": "RHBZ#2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30954",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119647"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: missing permission checks in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30954"
},
{
"category": "external",
"summary": "RHBZ#2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: missing permission checks in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-text: variable interpolation RCE"
},
{
"cve": "CVE-2022-43401",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136381"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43401"
},
{
"category": "external",
"summary": "RHBZ#2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43402",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136379"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43402"
},
{
"category": "external",
"summary": "RHBZ#2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-43403",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136382"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43403"
},
{
"category": "external",
"summary": "RHBZ#2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43403"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43404",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136383"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43404"
},
{
"category": "external",
"summary": "RHBZ#2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43405",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136374"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43405"
},
{
"category": "external",
"summary": "RHBZ#2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43405"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43406",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136370"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43406"
},
{
"category": "external",
"summary": "RHBZ#2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43406"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43407",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136386"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43407"
},
{
"category": "external",
"summary": "RHBZ#2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin"
},
{
"cve": "CVE-2022-43408",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136388"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43408"
},
{
"category": "external",
"summary": "RHBZ#2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin"
},
{
"cve": "CVE-2022-43409",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136391"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43409"
},
{
"category": "external",
"summary": "RHBZ#2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2023-24422",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-01-25T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2164278"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24422"
},
{
"category": "external",
"summary": "RHBZ#2164278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24422",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24422"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016"
}
],
"release_date": "2023-01-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2023-25761",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-02-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170039"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25761"
},
{
"category": "external",
"summary": "RHBZ#2170039",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25761",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25761"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032",
"url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2023-25762",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-02-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170041"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins pipeline-build-step plugin. Affected versions of the pipeline-build-step plugin do not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This can result in a stored cross-site scripting (XSS) vulnerability that may allow attackers to control job names.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25762"
},
{
"category": "external",
"summary": "RHBZ#2170041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25762",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25762"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019",
"url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin"
},
{
"cve": "CVE-2023-27903",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177632"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI\u2019s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Temporary file parameter created with insecure permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27903"
},
{
"category": "external",
"summary": "RHBZ#2177632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177632"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27903",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27903"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27903",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27903"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Jenkins: Temporary file parameter created with insecure permissions"
},
{
"cve": "CVE-2023-27904",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177634"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Information disclosure through error stack traces related to agents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27904"
},
{
"category": "external",
"summary": "RHBZ#2177634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Jenkins: Information disclosure through error stack traces related to agents"
}
]
}
RHSA-2023_1064
Vulnerability from csaf_redhat - Published: 2023-03-06 09:01 - Updated: 2024-12-10 17:45Summary
Red Hat Security Advisory: OpenShift Developer Tools and Services for OCP 4.12 security update
Notes
Topic
An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin (CVE-2022-29047)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)
* jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin (CVE-2022-43410)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)\n\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)\n\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)\n\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n\n* Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin (CVE-2022-29047)\n\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)\n\n* jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin (CVE-2022-43410)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1064",
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "2074855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074855"
},
{
"category": "external",
"summary": "2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2136369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136369"
},
{
"category": "external",
"summary": "2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1064.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Developer Tools and Services for OCP 4.12 security update",
"tracking": {
"current_release_date": "2024-12-10T17:45:19+00:00",
"generator": {
"date": "2024-12-10T17:45:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1064",
"initial_release_date": "2023-03-06T09:01:46+00:00",
"revision_history": [
{
"date": "2023-03-06T09:01:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-06T09:01:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-10T17:45:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.12",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.12::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.4.1675702346-3.el8.src",
"product": {
"name": "jenkins-0:2.361.4.1675702346-3.el8.src",
"product_id": "jenkins-0:2.361.4.1675702346-3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.4.1675702346-3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1675702407-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.4.1675702346-3.el8.noarch",
"product": {
"name": "jenkins-0:2.361.4.1675702346-3.el8.noarch",
"product_id": "jenkins-0:2.361.4.1675702346-3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.4.1675702346-3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1675702407-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.4.1675702346-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch"
},
"product_reference": "jenkins-0:2.361.4.1675702346-3.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.4.1675702346-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
},
"product_reference": "jenkins-0:2.361.4.1675702346-3.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-29047",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2022-04-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2074855"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even with the Pipeline configured not to trust them.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29047"
},
{
"category": "external",
"summary": "RHBZ#2074855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29047"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951",
"url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951"
}
],
"release_date": "2022-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-30952",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119645"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30952"
},
{
"category": "external",
"summary": "RHBZ#2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30952"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-43401",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136381"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43401"
},
{
"category": "external",
"summary": "RHBZ#2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43402",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136379"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43402"
},
{
"category": "external",
"summary": "RHBZ#2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-43403",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136382"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43403"
},
{
"category": "external",
"summary": "RHBZ#2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43403"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43404",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136383"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43404"
},
{
"category": "external",
"summary": "RHBZ#2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43405",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136374"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43405"
},
{
"category": "external",
"summary": "RHBZ#2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43405"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43406",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136370"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43406"
},
{
"category": "external",
"summary": "RHBZ#2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43406"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43407",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136386"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43407"
},
{
"category": "external",
"summary": "RHBZ#2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin"
},
{
"cve": "CVE-2022-43408",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136388"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43408"
},
{
"category": "external",
"summary": "RHBZ#2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin"
},
{
"cve": "CVE-2022-43409",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136391"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43409"
},
{
"category": "external",
"summary": "RHBZ#2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin"
},
{
"cve": "CVE-2022-43410",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136369"
}
],
"notes": [
{
"category": "description",
"text": "An information leak was found in a Jenkins plugin. This issue could allow an unauthenticated remote attacker to issue GET requests. The greatest impact is to confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43410"
},
{
"category": "external",
"summary": "RHBZ#2136369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136369"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43410",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43410"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43410",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43410"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023:0758
Vulnerability from csaf_redhat - Published: 2023-02-14 12:11 - Updated: 2025-11-21 18:37Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]
* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]
* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]
* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]
* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of\nModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a\ndetailed severity rating, is available for each vulnerability. For more\ninformation, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]\n\n* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]\n\n* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]\n\n* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]\n\n* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0758",
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=2.13.7",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=2.13.7"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2153399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
},
{
"category": "external",
"summary": "2158081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0758.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update",
"tracking": {
"current_release_date": "2025-11-21T18:37:43+00:00",
"generator": {
"date": "2025-11-21T18:37:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0758",
"initial_release_date": "2023-02-14T12:11:49+00:00",
"revision_history": [
{
"date": "2023-02-14T12:11:49+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-14T12:11:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:37:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus",
"product": {
"name": "Red Hat build of Quarkus",
"product_id": "Red Hat build of Quarkus",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:2.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-41946",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153399"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn\u0027t make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41946"
},
{
"category": "external",
"summary": "RHBZ#2153399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946"
}
],
"release_date": "2022-11-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat build of Quarkus"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Paulo Lopes"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2023-0044",
"discovery_date": "2023-01-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0044"
},
{
"category": "external",
"summary": "RHBZ#2158081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0044",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-c57v-hc7m-8px2",
"url": "https://github.com/advisories/GHSA-c57v-hc7m-8px2"
}
],
"release_date": "2023-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
},
{
"category": "workaround",
"details": "This attack can be prevented with the Quarkus CSRF Prevention feature.",
"product_ids": [
"Red Hat build of Quarkus"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure"
}
]
}
RHSA-2023:0777
Vulnerability from csaf_redhat - Published: 2023-02-23 00:01 - Updated: 2025-11-21 18:37Summary
Red Hat Security Advisory: OpenShift Container Platform 4.9.56 security update
Notes
Topic
Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.9.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.56. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:0778
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)
* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)
* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)
* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin (CVE-2022-45381)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)
* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jenkins: Observable timing discrepancy allows determining username validity (CVE-2022-34174)
* jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36884)
* jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.9 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.56. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2023:0778\n\nSecurity Fix(es):\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)\n\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)\n\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)\n\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n\n* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)\n\n* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)\n\n* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)\n\n* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin (CVE-2022-45381)\n\n* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)\n\n* Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)\n\n* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jenkins: Observable timing discrepancy allows determining username validity (CVE-2022-34174)\n\n* jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)\n\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883)\n\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36884)\n\n* jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)\n\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.9 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0777",
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"url": "https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html"
},
{
"category": "external",
"summary": "1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "2116952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116952"
},
{
"category": "external",
"summary": "2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "2119653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119653"
},
{
"category": "external",
"summary": "2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "2143086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086"
},
{
"category": "external",
"summary": "2143089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089"
},
{
"category": "external",
"summary": "2143090",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0777.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.9.56 security update",
"tracking": {
"current_release_date": "2025-11-21T18:37:45+00:00",
"generator": {
"date": "2025-11-21T18:37:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0777",
"initial_release_date": "2023-02-23T00:01:27+00:00",
"revision_history": [
{
"date": "2023-02-23T00:01:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-23T00:01:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:37:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.9",
"product": {
"name": "Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.9::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.1.1675668150-1.el8.src",
"product": {
"name": "jenkins-0:2.361.1.1675668150-1.el8.src",
"product_id": "jenkins-0:2.361.1.1675668150-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.1.1675668150-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.1.1675668150-1.el8.noarch",
"product": {
"name": "jenkins-0:2.361.1.1675668150-1.el8.noarch",
"product_id": "jenkins-0:2.361.1.1675668150-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.1.1675668150-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.1.1675668150-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch"
},
"product_reference": "jenkins-0:2.361.1.1675668150-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.1.1675668150-1.el8.src as a component of Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
},
"product_reference": "jenkins-0:2.361.1.1675668150-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src as a component of Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7692",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2020-07-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856376"
}
],
"notes": [
{
"category": "description",
"text": "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7692"
},
{
"category": "external",
"summary": "RHBZ#1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7692",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7692"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692"
}
],
"release_date": "2020-07-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2048",
"cwe": {
"id": "CWE-410",
"name": "Insufficient Resource Pool"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116952"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http2-server: Invalid HTTP/2 requests cause DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2048"
},
{
"category": "external",
"summary": "RHBZ#2116952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116952"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2048",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2048"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j"
}
],
"release_date": "2022-07-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http2-server: Invalid HTTP/2 requests cause DoS"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-30946",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119643"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30946"
},
{
"category": "external",
"summary": "RHBZ#2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2022-30952",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119645"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30952"
},
{
"category": "external",
"summary": "RHBZ#2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30952"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30953",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119646"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30953"
},
{
"category": "external",
"summary": "RHBZ#2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30954",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119647"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: missing permission checks in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30954"
},
{
"category": "external",
"summary": "RHBZ#2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: missing permission checks in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-34174",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119653"
}
],
"notes": [
{
"category": "description",
"text": "In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Observable timing discrepancy allows determining username validity",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-34174"
},
{
"category": "external",
"summary": "RHBZ#2119653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119653"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-34174",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34174"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566"
}
],
"release_date": "2022-06-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins: Observable timing discrepancy allows determining username validity"
},
{
"cve": "CVE-2022-36882",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36882"
},
{
"category": "external",
"summary": "RHBZ#2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36882",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36882"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git"
},
{
"cve": "CVE-2022-36883",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119656"
}
],
"notes": [
{
"category": "description",
"text": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36883"
},
{
"category": "external",
"summary": "RHBZ#2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36884",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119657"
}
],
"notes": [
{
"category": "description",
"text": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36884"
},
{
"category": "external",
"summary": "RHBZ#2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36884",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36884"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36885",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119658"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Non-constant time webhook signature comparison in GitHub Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36885"
},
{
"category": "external",
"summary": "RHBZ#2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36885",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36885"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Non-constant time webhook signature comparison in GitHub Plugin"
},
{
"cve": "CVE-2022-43401",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136381"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43401"
},
{
"category": "external",
"summary": "RHBZ#2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43402",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136379"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43402"
},
{
"category": "external",
"summary": "RHBZ#2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-43403",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136382"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43403"
},
{
"category": "external",
"summary": "RHBZ#2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43403"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43404",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136383"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43404"
},
{
"category": "external",
"summary": "RHBZ#2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43405",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136374"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43405"
},
{
"category": "external",
"summary": "RHBZ#2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43405"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43406",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136370"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43406"
},
{
"category": "external",
"summary": "RHBZ#2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43406"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43407",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136386"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43407"
},
{
"category": "external",
"summary": "RHBZ#2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin"
},
{
"cve": "CVE-2022-43408",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136388"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43408"
},
{
"category": "external",
"summary": "RHBZ#2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin"
},
{
"cve": "CVE-2022-43409",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136391"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43409"
},
{
"category": "external",
"summary": "RHBZ#2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45379",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143090"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the script-security Jenkins Plugin. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. The affected version of the script-security Plugin stores whole-script approvals as the SHA-1 hash of the approved script.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45379"
},
{
"category": "external",
"summary": "RHBZ#2143090",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45379",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45379"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions"
},
{
"cve": "CVE-2022-45380",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143086"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JUnit Jenkins Plugin. The affected version of the JUnit plugin converts HTTP(S) URLs in test report output to clickable links, which leads to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45380"
},
{
"category": "external",
"summary": "RHBZ#2143086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45380",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45380"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2022-45381",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Pipeline Utility Steps Jenkins Plugin. The affected version of the Pipeline Utility Steps Plugin does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default. This flaw allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence the OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45381"
},
{
"category": "external",
"summary": "RHBZ#2143089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45381",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45381"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin"
}
]
}
RHSA-2023:1043
Vulnerability from csaf_redhat - Published: 2023-03-01 22:02 - Updated: 2025-12-05 06:19Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1043",
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1043.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7",
"tracking": {
"current_release_date": "2025-12-05T06:19:24+00:00",
"generator": {
"date": "2025-12-05T06:19:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2023:1043",
"initial_release_date": "2023-03-01T22:02:40+00:00",
"revision_history": [
{
"date": "2023-03-01T22:02:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T22:02:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-05T06:19:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el7sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el7sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el7sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"relates_to_product_reference": "7Server-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices. System monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.\n\nIn Quay IO 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023:1064
Vulnerability from csaf_redhat - Published: 2023-03-06 09:01 - Updated: 2025-11-21 18:38Summary
Red Hat Security Advisory: OpenShift Developer Tools and Services for OCP 4.12 security update
Notes
Topic
An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin (CVE-2022-29047)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)
* jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin (CVE-2022-43410)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)\n\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)\n\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)\n\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n\n* Pipeline Shared Groovy Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin (CVE-2022-29047)\n\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)\n\n* jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin (CVE-2022-43410)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1064",
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "2074855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074855"
},
{
"category": "external",
"summary": "2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2136369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136369"
},
{
"category": "external",
"summary": "2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1064.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Developer Tools and Services for OCP 4.12 security update",
"tracking": {
"current_release_date": "2025-11-21T18:38:14+00:00",
"generator": {
"date": "2025-11-21T18:38:14+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:1064",
"initial_release_date": "2023-03-06T09:01:46+00:00",
"revision_history": [
{
"date": "2023-03-06T09:01:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-06T09:01:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:38:14+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.12",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.12::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.4.1675702346-3.el8.src",
"product": {
"name": "jenkins-0:2.361.4.1675702346-3.el8.src",
"product_id": "jenkins-0:2.361.4.1675702346-3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.4.1675702346-3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1675702407-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.4.1675702346-3.el8.noarch",
"product": {
"name": "jenkins-0:2.361.4.1675702346-3.el8.noarch",
"product_id": "jenkins-0:2.361.4.1675702346-3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.4.1675702346-3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1675702407-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.4.1675702346-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch"
},
"product_reference": "jenkins-0:2.361.4.1675702346-3.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.4.1675702346-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
},
"product_reference": "jenkins-0:2.361.4.1675702346-3.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12",
"product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.12.1675702407-1.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-29047",
"cwe": {
"id": "CWE-288",
"name": "Authentication Bypass Using an Alternate Path or Channel"
},
"discovery_date": "2022-04-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2074855"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even with the Pipeline configured not to trust them.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29047"
},
{
"category": "external",
"summary": "RHBZ#2074855",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2074855"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29047"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951",
"url": "https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951"
}
],
"release_date": "2022-04-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-30952",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119645"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30952"
},
{
"category": "external",
"summary": "RHBZ#2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30952"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-43401",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136381"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43401"
},
{
"category": "external",
"summary": "RHBZ#2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43402",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136379"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43402"
},
{
"category": "external",
"summary": "RHBZ#2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-43403",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136382"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43403"
},
{
"category": "external",
"summary": "RHBZ#2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43403"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43404",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136383"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43404"
},
{
"category": "external",
"summary": "RHBZ#2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43405",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136374"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43405"
},
{
"category": "external",
"summary": "RHBZ#2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43405"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43406",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136370"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43406"
},
{
"category": "external",
"summary": "RHBZ#2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43406"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43407",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136386"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43407"
},
{
"category": "external",
"summary": "RHBZ#2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin"
},
{
"cve": "CVE-2022-43408",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136388"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43408"
},
{
"category": "external",
"summary": "RHBZ#2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin"
},
{
"cve": "CVE-2022-43409",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136391"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43409"
},
{
"category": "external",
"summary": "RHBZ#2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin"
},
{
"cve": "CVE-2022-43410",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136369"
}
],
"notes": [
{
"category": "description",
"text": "An information leak was found in a Jenkins plugin. This issue could allow an unauthenticated remote attacker to issue GET requests. The greatest impact is to confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43410"
},
{
"category": "external",
"summary": "RHBZ#2136369",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136369"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43410",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43410"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43410",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43410"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2831"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/mercurial: Webhook endpoint discloses job names to unauthorized users in Mercurial Plugin"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-06T09:01:46+00:00",
"details": "For important instructions on how to upgrade your cluster and fully apply this asynchronous errata update in OpenShift Container Platform 4.12, see the following documentation, which will be updated shortly for this release:\n\nhttps://docs.openshift.com/container-platform/4.12/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1064"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-0:2.361.4.1675702346-3.el8.src",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.noarch",
"8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1675702407-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023:3641
Vulnerability from csaf_redhat - Published: 2023-06-15 15:23 - Updated: 2025-11-21 18:41Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release
Notes
Topic
Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)\n\n* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3641",
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q2"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2129710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129710"
},
{
"category": "external",
"summary": "2134288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134288"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2182788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788"
},
{
"category": "external",
"summary": "2188542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
},
{
"category": "external",
"summary": "2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3641.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release",
"tracking": {
"current_release_date": "2025-11-21T18:41:30+00:00",
"generator": {
"date": "2025-11-21T18:41:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:3641",
"initial_release_date": "2023-06-15T15:23:47+00:00",
"revision_history": [
{
"date": "2023-06-15T15:23:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-06-15T15:23:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:41:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHINT Camel-Springboot 3.18.3.P2",
"product": {
"name": "RHINT Camel-Springboot 3.18.3.P2",
"product_id": "RHINT Camel-Springboot 3.18.3.P2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:camel_spring_boot:3.18"
}
}
}
],
"category": "product_family",
"name": "Red Hat Integration"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-38752",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129710"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38752"
},
{
"category": "external",
"summary": "RHBZ#2129710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129710"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38752",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-40156",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134288"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40156"
},
{
"category": "external",
"summary": "RHBZ#2134288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134288"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40156",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40156"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40156",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40156"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-41854",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2151988"
}
],
"notes": [
{
"category": "description",
"text": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dev-java/snakeyaml: DoS via stack overflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41854"
},
{
"category": "external",
"summary": "RHBZ#2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355"
},
{
"category": "external",
"summary": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355"
}
],
"release_date": "2022-11-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dev-java/snakeyaml: DoS via stack overflow"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"cve": "CVE-2023-1370",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2023-04-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2188542"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json-smart package. This security flaw occurs when reaching a \u2018[\u2018 or \u2018{\u2018 character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1370"
},
{
"category": "external",
"summary": "RHBZ#2188542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-493p-pfq6-5258",
"url": "https://github.com/advisories/GHSA-493p-pfq6-5258"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
"url": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)"
},
{
"cve": "CVE-2023-1436",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2023-03-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2182788"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: Uncontrolled Recursion in JSONArray",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1436"
},
{
"category": "external",
"summary": "RHBZ#2182788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1436",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1436"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/",
"url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: Uncontrolled Recursion in JSONArray"
},
{
"cve": "CVE-2023-20883",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-05-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2209342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot\u0027s welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-boot: Spring Boot Welcome Page DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20883"
},
{
"category": "external",
"summary": "RHBZ#2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20883",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883"
}
],
"release_date": "2023-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-boot: Spring Boot Welcome Page DoS Vulnerability"
}
]
}
RHSA-2023:1049
Vulnerability from csaf_redhat - Published: 2023-03-01 21:58 - Updated: 2025-12-05 06:19Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update
Notes
Topic
A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO (CVE-2022-2237)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO (CVE-2022-2237)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1049",
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2097007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1049.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update",
"tracking": {
"current_release_date": "2025-12-05T06:19:34+00:00",
"generator": {
"date": "2025-12-05T06:19:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2023:1049",
"initial_release_date": "2023-03-01T21:58:17+00:00",
"revision_history": [
{
"date": "2023-03-01T21:58:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:58:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-05T06:19:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7",
"product": {
"name": "Red Hat Single Sign-On 7",
"product_id": "Red Hat Single Sign-On 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices. System monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"Red Hat Single Sign-On 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"acknowledgments": [
{
"names": [
"Ayta\u00e7 Kal\u0131nc\u0131",
"Ilker Bulgurcu",
"Yasin Y\u0131lmaz"
],
"organization": "NETA\u015e PENTEST TEAM"
}
],
"cve": "CVE-2022-2237",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2022-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2097007"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Adapter: Open redirect vulnerability in checkSSO",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported. Therefore, this flaw will not be addressed in CodeReady Studio. Please see https://developers.redhat.com/articles/2022/04/18/announcement-red-hat-codeready-studio-reaches-end-life for more information.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2237"
},
{
"category": "external",
"summary": "RHBZ#2097007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2237",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2237"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2237",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2237"
}
],
"release_date": "2023-03-01T13:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Adapter: Open redirect vulnerability in checkSSO"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"cve": "CVE-2022-3782",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-10-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138971"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: path traversal via double URL encoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3782"
},
{
"category": "external",
"summary": "RHBZ#2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3782"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: path traversal via double URL encoding"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"Red Hat Single Sign-On 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.\n\nIn Quay IO 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat Single Sign-On 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_0554
Vulnerability from csaf_redhat - Published: 2023-01-31 13:15 - Updated: 2024-12-16 02:20Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
(CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
(CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
(CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator
(CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
(CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute\n(CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM\nmanipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n(CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy\n(CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability\n(CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of\nService attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute\n(CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator\n(CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n(CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data\n(CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0554",
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-23864",
"url": "https://issues.redhat.com/browse/JBEAP-23864"
},
{
"category": "external",
"summary": "JBEAP-23865",
"url": "https://issues.redhat.com/browse/JBEAP-23865"
},
{
"category": "external",
"summary": "JBEAP-23866",
"url": "https://issues.redhat.com/browse/JBEAP-23866"
},
{
"category": "external",
"summary": "JBEAP-23928",
"url": "https://issues.redhat.com/browse/JBEAP-23928"
},
{
"category": "external",
"summary": "JBEAP-24055",
"url": "https://issues.redhat.com/browse/JBEAP-24055"
},
{
"category": "external",
"summary": "JBEAP-24081",
"url": "https://issues.redhat.com/browse/JBEAP-24081"
},
{
"category": "external",
"summary": "JBEAP-24095",
"url": "https://issues.redhat.com/browse/JBEAP-24095"
},
{
"category": "external",
"summary": "JBEAP-24100",
"url": "https://issues.redhat.com/browse/JBEAP-24100"
},
{
"category": "external",
"summary": "JBEAP-24127",
"url": "https://issues.redhat.com/browse/JBEAP-24127"
},
{
"category": "external",
"summary": "JBEAP-24128",
"url": "https://issues.redhat.com/browse/JBEAP-24128"
},
{
"category": "external",
"summary": "JBEAP-24132",
"url": "https://issues.redhat.com/browse/JBEAP-24132"
},
{
"category": "external",
"summary": "JBEAP-24147",
"url": "https://issues.redhat.com/browse/JBEAP-24147"
},
{
"category": "external",
"summary": "JBEAP-24167",
"url": "https://issues.redhat.com/browse/JBEAP-24167"
},
{
"category": "external",
"summary": "JBEAP-24191",
"url": "https://issues.redhat.com/browse/JBEAP-24191"
},
{
"category": "external",
"summary": "JBEAP-24195",
"url": "https://issues.redhat.com/browse/JBEAP-24195"
},
{
"category": "external",
"summary": "JBEAP-24207",
"url": "https://issues.redhat.com/browse/JBEAP-24207"
},
{
"category": "external",
"summary": "JBEAP-24248",
"url": "https://issues.redhat.com/browse/JBEAP-24248"
},
{
"category": "external",
"summary": "JBEAP-24426",
"url": "https://issues.redhat.com/browse/JBEAP-24426"
},
{
"category": "external",
"summary": "JBEAP-24427",
"url": "https://issues.redhat.com/browse/JBEAP-24427"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0554.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update",
"tracking": {
"current_release_date": "2024-12-16T02:20:06+00:00",
"generator": {
"date": "2024-12-16T02:20:06+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0554",
"initial_release_date": "2023-01-31T13:15:23+00:00",
"revision_history": [
{
"date": "2023-01-31T13:15:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-31T13:15:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T02:20:06+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss EAP 7.4 for RHEL 9",
"product": {
"name": "Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el9eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-11-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1399546"
}
],
"notes": [
{
"category": "description",
"text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting via cross-domain ajax requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-9251"
},
{
"category": "external",
"summary": "RHBZ#1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
}
],
"release_date": "2015-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting via cross-domain ajax requests"
},
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2017-18214",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-03-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1553413"
}
],
"notes": [
{
"category": "description",
"text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-moment: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18214"
},
{
"category": "external",
"summary": "RHBZ#1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18214"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214"
}
],
"release_date": "2017-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-moment: Regular expression denial of service"
},
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14041",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601616"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14041"
},
{
"category": "external",
"summary": "RHBZ#1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-8331",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-02-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1686454"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip or popover data-template attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-8331"
},
{
"category": "external",
"summary": "RHBZ#1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331"
}
],
"release_date": "2019-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the tooltip or popover data-template attribute"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
}
]
}
RHSA-2023:0074
Vulnerability from csaf_redhat - Published: 2023-01-11 11:29 - Updated: 2025-11-21 18:36Summary
Red Hat Security Advisory: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Notes
Topic
Updated RHV packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security fix(es):
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* isomorphic-git: Directory traversal via a crafted repository (CVE-2021-30483)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* With this release, SELinux rules for the Grafana HTTP port are now properly set up for new remote DWH installations as part of the Red Hat Virtualization Manager engine-setup. (BZ#2126778)
* Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API. In this release, both admin and non-admin users can search for clusters properly using the REST API. (BZ#2144346)
* Previously, stale bitmaps in the base image during a cold or live internal merge caused the operation to fail. In this release, the merge operation succeeds. (BZ#2141371)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated RHV packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.\n\nSecurity fix(es):\n\n* mina-sshd: Java unsafe deserialization vulnerability\u00a0(CVE-2022-45047)\n\n* isomorphic-git: Directory traversal via a crafted repository (CVE-2021-30483)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* With this release, SELinux rules for the Grafana HTTP port are now properly set up for new remote DWH installations as part of the Red Hat Virtualization Manager engine-setup. (BZ#2126778)\n\n* Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API. In this release, both admin and non-admin users can search for clusters properly using the REST API. (BZ#2144346)\n\n* Previously, stale bitmaps in the base image during a cold or live internal merge caused the operation to fail. In this release, the merge operation succeeds. (BZ#2141371)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0074",
"url": "https://access.redhat.com/errata/RHSA-2023:0074"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1988539",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1988539"
},
{
"category": "external",
"summary": "2126778",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126778"
},
{
"category": "external",
"summary": "2141371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141371"
},
{
"category": "external",
"summary": "2144346",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144346"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2152015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2152015"
},
{
"category": "external",
"summary": "2152845",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2152845"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0074.json"
}
],
"title": "Red Hat Security Advisory: RHV 4.4 SP1 [ovirt-4.5.3-3] security update",
"tracking": {
"current_release_date": "2025-11-21T18:36:02+00:00",
"generator": {
"date": "2025-11-21T18:36:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0074",
"initial_release_date": "2023-01-11T11:29:09+00:00",
"revision_history": [
{
"date": "2023-01-11T11:29:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-11T11:29:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:36:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product": {
"name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhev_manager:4.4:el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product": {
"name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product": {
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.src",
"product": {
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.src",
"product_id": "ovirt-engine-0:4.5.3.5-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine@4.5.3.5-1.el8ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "apache-sshd-1:2.9.2-0.1.el8ev.src",
"product": {
"name": "apache-sshd-1:2.9.2-0.1.el8ev.src",
"product_id": "apache-sshd-1:2.9.2-0.1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-sshd@2.9.2-0.1.el8ev?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"product": {
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"product_id": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.3.7-1.el8ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.src",
"product": {
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.src",
"product_id": "ovirt-web-ui-0:1.9.3-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-web-ui@1.9.3-1.el8ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"product": {
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"product_id": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.16-1.el8ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "vdsm-0:4.50.3.6-1.el8ev.src",
"product": {
"name": "vdsm-0:4.50.3.6-1.el8ev.src",
"product_id": "vdsm-0:4.50.3.6-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm@4.50.3.6-1.el8ev?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-backend@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-tools@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"product_id": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhvm-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "rhvm-0:4.5.3.5-1.el8ev.noarch",
"product_id": "rhvm-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhvm@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"product": {
"name": "apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"product_id": "apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-sshd@2.9.2-0.1.el8ev?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"product": {
"name": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"product_id": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-sshd-javadoc@2.9.2-0.1.el8ev?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"product_id": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.3.7-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"product": {
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"product_id": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-web-ui@1.9.3-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"product": {
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"product_id": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.16-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-api@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-client@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-common@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-cpuflags@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-ethtool-options@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-fcoe@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-localdisk@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-nestedvt@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-openstacknet@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-vhostmd@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-http@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-jsonrpc@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-python@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-yajsonrpc@4.50.3.6-1.el8ev?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm@4.50.3.6-1.el8ev?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-gluster@4.50.3.6-1.el8ev?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-checkips@4.50.3.6-1.el8ev?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-extra-ipv4-addrs@4.50.3.6-1.el8ev?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-network@4.50.3.6-1.el8ev?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"product": {
"name": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"product_id": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm@4.50.3.6-1.el8ev?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"product": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"product_id": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-checkips@4.50.3.6-1.el8ev?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"product": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"product_id": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-extra-ipv4-addrs@4.50.3.6-1.el8ev?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"product": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"product_id": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-network@4.50.3.6-1.el8ev?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-api-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-client-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-common-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-http-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-python-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-api-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-client-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-common-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-http-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-python-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-1:2.9.2-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch"
},
"product_reference": "apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-1:2.9.2-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src"
},
"product_reference": "apache-sshd-1:2.9.2-0.1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch"
},
"product_reference": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src"
},
"product_reference": "ovirt-engine-0:4.5.3.5-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src"
},
"product_reference": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch"
},
"product_reference": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src"
},
"product_reference": "ovirt-web-ui-0:1.9.3-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch"
},
"product_reference": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src"
},
"product_reference": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhvm-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "rhvm-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-30483",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-07-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1988539"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in isomorphic-git. An attacker could cause a Directory Traversal via a crafted filepath in a repository being cloned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "isomorphic-git: Directory traversal via a crafted repository",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Virtualization, isomorphic-git is a build time dependency and is not delivered with the product. Therefore impact has been rated Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src"
],
"known_not_affected": [
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-30483"
},
{
"category": "external",
"summary": "RHBZ#1988539",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1988539"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-30483",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30483"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-30483",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30483"
},
{
"category": "external",
"summary": "https://github.com/isomorphic-git/isomorphic-git/pull/1339",
"url": "https://github.com/isomorphic-git/isomorphic-git/pull/1339"
},
{
"category": "external",
"summary": "https://github.com/isomorphic-git/isomorphic-git/releases/tag/v1.8.2",
"url": "https://github.com/isomorphic-git/isomorphic-git/releases/tag/v1.8.2"
},
{
"category": "external",
"summary": "https://vuln.ryotak.me/advisories/28",
"url": "https://vuln.ryotak.me/advisories/28"
}
],
"release_date": "2021-07-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-11T11:29:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0074"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "isomorphic-git: Directory traversal via a crafted repository"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch"
],
"known_not_affected": [
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-11T11:29:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0074"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023_1047
Vulnerability from csaf_redhat - Published: 2023-03-01 21:46 - Updated: 2024-12-18 00:38Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update
Notes
Topic
A new image is available for Red Hat Single Sign-On 7.6.2, running on Red
Hat OpenShift Container Platform from the release of 3.11 up to the release
of 4.12.0.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is an integrated sign-on solution, available as a
Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat
Single Sign-On for OpenShift image provides an authentication server that
you can use to log in centrally, log out, and register. You can also manage
user accounts for web applications, mobile applications, and RESTful web
services.
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
This erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use
within the Red Hat OpenShift Container Platform (from the release of 3.11
up to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)
for on-premise or private cloud deployments, aligning with the standalone
product release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A new image is available for Red Hat Single Sign-On 7.6.2, running on Red\nHat OpenShift Container Platform from the release of 3.11 up to the release\nof 4.12.0.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a\nRed Hat JBoss Middleware for OpenShift containerized image. The Red Hat\nSingle Sign-On for OpenShift image provides an authentication server that\nyou can use to log in centrally, log out, and register. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices.\n\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use\nwithin the Red Hat OpenShift Container Platform (from the release of 3.11\nup to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)\nfor on-premise or private cloud deployments, aligning with the standalone\nproduct release.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1047",
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2143416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1047.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update",
"tracking": {
"current_release_date": "2024-12-18T00:38:34+00:00",
"generator": {
"date": "2024-12-18T00:38:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1047",
"initial_release_date": "2023-03-01T21:46:46+00:00",
"revision_history": [
{
"date": "2023-03-01T21:46:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:46:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:38:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Middleware Containers for OpenShift",
"product": {
"name": "Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
},
"product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"cve": "CVE-2022-3782",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-10-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138971"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: path traversal via double URL encoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3782"
},
{
"category": "external",
"summary": "RHBZ#2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3782"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: path traversal via double URL encoding"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"acknowledgments": [
{
"names": [
"Thibault Guittet"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2022-4039",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"discovery_date": "2022-11-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143416"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rhsso-container-image: unsecured management interface exposed to adjecent network",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4039"
},
{
"category": "external",
"summary": "RHBZ#2143416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4039",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4039"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4039",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4039"
}
],
"release_date": "2023-02-28T21:26:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rhsso-container-image: unsecured management interface exposed to adjecent network"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:46:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64",
"8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2025:1746
Vulnerability from csaf_redhat - Published: 2025-02-24 00:08 - Updated: 2025-12-05 12:21Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.9 on RHEL 7 security update
Notes
Topic
A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [eap-7.1.z] (CVE-2022-41881)
* velocity: arbitrary code execution when attacker is able to modify templates [eap-7.1.z] (CVE-2020-13936)
* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution [eap-7.1.z] (CVE-2020-10673)
* jackson-databind: Serialization gadgets in anteros-core [eap-7.1.z] (CVE-2020-9548)
* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution [eap-7.1.z] (CVE-2020-10672)
* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [eap-7.1.z] (CVE-2021-3717)
* jackson-databind: Serialization gadgets in ibatis-sqlmap [eap-7.1.z] (CVE-2020-9547)
* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) [eap-7.1.z] (CVE-2021-45046)
* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value [eap-7.1.z] (CVE-2021-44228)
* jackson-databind: Serialization gadgets in shaded-hikari-config [eap-7.1.z] (CVE-2020-9546)
* CXF: Apache CXF: directory listing / code exfiltration [eap-7.1.z] (CVE-2022-46363)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability [eap-7.1.z] (CVE-2022-45047)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos [eap-7.1.z] (CVE-2022-45693)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [eap-7.1.z] (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays [eap-7.1.z] (CVE-2022-42004)
* jackson-databind: Lacks certain xbean-reflect/JNDI blocking [eap-7.1.z] (CVE-2020-8840)
* snakeyaml: Constructor Deserialization Remote Code Execution [eap-7.1.z] (CVE-2022-1471)
* commons-text: apache-commons-text: variable interpolation RCE [eap-7.1.z] (CVE-2022-42889)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.1 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.1.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.1.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [eap-7.1.z] (CVE-2022-41881)\n\n* velocity: arbitrary code execution when attacker is able to modify templates [eap-7.1.z] (CVE-2020-13936)\n\n* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution [eap-7.1.z] (CVE-2020-10673)\n\n* jackson-databind: Serialization gadgets in anteros-core [eap-7.1.z] (CVE-2020-9548)\n\n* jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution [eap-7.1.z] (CVE-2020-10672)\n\n* wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users [eap-7.1.z] (CVE-2021-3717)\n\n* jackson-databind: Serialization gadgets in ibatis-sqlmap [eap-7.1.z] (CVE-2020-9547)\n\n* log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228) [eap-7.1.z] (CVE-2021-45046)\n\n* log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value [eap-7.1.z] (CVE-2021-44228)\n\n* jackson-databind: Serialization gadgets in shaded-hikari-config [eap-7.1.z] (CVE-2020-9546)\n\n* CXF: Apache CXF: directory listing / code exfiltration [eap-7.1.z] (CVE-2022-46363)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability [eap-7.1.z] (CVE-2022-45047)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos [eap-7.1.z] (CVE-2022-45693)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [eap-7.1.z] (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays [eap-7.1.z] (CVE-2022-42004)\n\n* jackson-databind: Lacks certain xbean-reflect/JNDI blocking [eap-7.1.z] (CVE-2020-8840)\n\n* snakeyaml: Constructor Deserialization Remote Code Execution [eap-7.1.z] (CVE-2022-1471)\n\n* commons-text: apache-commons-text: variable interpolation RCE [eap-7.1.z] (CVE-2022-42889)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:1746",
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.1/html-single/installation_guide/index"
},
{
"category": "external",
"summary": "1815470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815470"
},
{
"category": "external",
"summary": "1815495",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815495"
},
{
"category": "external",
"summary": "1816330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816330"
},
{
"category": "external",
"summary": "1816332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816332"
},
{
"category": "external",
"summary": "1816337",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816337"
},
{
"category": "external",
"summary": "1816340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816340"
},
{
"category": "external",
"summary": "1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "1991305",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991305"
},
{
"category": "external",
"summary": "2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-28583",
"url": "https://issues.redhat.com/browse/JBEAP-28583"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_1746.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.9 on RHEL 7 security update",
"tracking": {
"current_release_date": "2025-12-05T12:21:15+00:00",
"generator": {
"date": "2025-12-05T12:21:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2025:1746",
"initial_release_date": "2025-02-24T00:08:27+00:00",
"revision_history": [
{
"date": "2025-02-24T00:08:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-02-24T00:08:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-05T12:21:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"product": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"product_id": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-1.Final_redhat_00002.1.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"product": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"product_id": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"product": {
"name": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"product_id": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.3.8-2.redhat_00002.1.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"product": {
"name": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"product_id": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-cxf@3.1.16-4.redhat_00003.1.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"product": {
"name": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"product_id": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.6-2.SP1_redhat_00002.1.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"product": {
"name": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"product_id": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-velocity@1.7.0-3.redhat_00006.1.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"product": {
"name": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"product_id": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.1.9-2.GA_redhat_00002.1.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"product": {
"name": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"product_id": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"product": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"product_id": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty@4.1.63-1.Final_redhat_00002.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"product": {
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"product_id": "eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-netty-all@4.1.63-1.Final_redhat_00002.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-snakeyaml@1.33.0-1.SP1_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"product": {
"name": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"product_id": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.3.8-2.redhat_00002.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product": {
"name": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product_id": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-cxf@3.1.16-4.redhat_00003.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product": {
"name": "eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product_id": "eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-cxf-rt@3.1.16-4.redhat_00003.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product": {
"name": "eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product_id": "eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-cxf-services@3.1.16-4.redhat_00003.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product": {
"name": "eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product_id": "eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-cxf-tools@3.1.16-4.redhat_00003.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"product_id": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.8.11.6-2.SP1_redhat_00002.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"product": {
"name": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"product_id": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-velocity@1.7.0-3.redhat_00006.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"product": {
"name": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"product_id": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.1.9-2.GA_redhat_00002.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"product_id": "eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.1.9-2.GA_redhat_00002.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-atom-provider@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-cdi@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-client@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-crypto@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jackson-provider@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jackson2-provider@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jaxb-provider@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jaxrs@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jettison-provider@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jose-jwt@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-jsapi@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-json-p-provider@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-multipart-provider@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-spring@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-validator-provider-11@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product": {
"name": "eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_id": "eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-resteasy-yaml-provider@3.0.27-1.Final_redhat_00001.1.ep7.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch"
},
"product_reference": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src"
},
"product_reference": "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch"
},
"product_reference": "eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch"
},
"product_reference": "eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch"
},
"product_reference": "eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src"
},
"product_reference": "eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch"
},
"product_reference": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src"
},
"product_reference": "eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch"
},
"product_reference": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src"
},
"product_reference": "eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch"
},
"product_reference": "eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src"
},
"product_reference": "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch"
},
"product_reference": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src"
},
"product_reference": "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch"
},
"product_reference": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src"
},
"product_reference": "eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
},
"product_reference": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src"
},
"product_reference": "eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.1-EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8840",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-03-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1816330"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind in versions 2.0.0 through 2.9.10.2. A \"gadget\" exploit is possible due to a lack of a Java object being blocking from being deserialized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Lacks certain xbean-reflect/JNDI blocking",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8840"
},
{
"category": "external",
"summary": "RHBZ#1816330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816330"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8840",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840"
}
],
"release_date": "2020-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Lacks certain xbean-reflect/JNDI blocking"
},
{
"cve": "CVE-2020-9546",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-03-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1816332"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Serialization gadgets in shaded-hikari-config",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9546"
},
{
"category": "external",
"summary": "RHBZ#1816332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9546",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9546"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546"
}
],
"release_date": "2020-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Serialization gadgets in shaded-hikari-config"
},
{
"cve": "CVE-2020-9547",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-03-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1816337"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jackson-databind 2.x. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Serialization gadgets in ibatis-sqlmap",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9547"
},
{
"category": "external",
"summary": "RHBZ#1816337",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816337"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9547",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9547"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547"
}
],
"release_date": "2020-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Serialization gadgets in ibatis-sqlmap"
},
{
"cve": "CVE-2020-9548",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-03-02T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1816340"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jackson-databind 2.x. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: Serialization gadgets in anteros-core",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.\n\nRed Hat Satellite 6 does not enable polymorphic deserialization which is a required configuration for the vulnerability to be used. We may update the jackson-databind dependency in a future release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9548"
},
{
"category": "external",
"summary": "RHBZ#1816340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9548",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9548"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548"
}
],
"release_date": "2020-03-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: Serialization gadgets in anteros-core"
},
{
"cve": "CVE-2020-10672",
"cwe": {
"id": "CWE-96",
"name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
},
"discovery_date": "2020-03-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1815495"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10672"
},
{
"category": "external",
"summary": "RHBZ#1815495",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815495"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10672",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10672"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672"
}
],
"release_date": "2020-03-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution"
},
{
"cve": "CVE-2020-10673",
"cwe": {
"id": "CWE-96",
"name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
},
"discovery_date": "2020-03-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1815470"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform ships OpenDaylight, which contains the vulnerable jackson-databind. However, OpenDaylight does not expose jackson-databind in a way that would make it vulnerable, lowering the impact of the vulnerability for OpenDaylight. As such, Red Hat will not be providing a fix for OpenDaylight at this time. Additionally, the gadget is not available within Red Hat Openstack Platform\u0027s OpenDaylight.\n\nWhile OpenShift Container Platform\u0027s elasticsearch plugins do ship the vulnerable component, it doesn\u0027t do any of the unsafe things described in https://access.redhat.com/solutions/3279231. We may update the jackson-databind dependency in a future release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10673"
},
{
"category": "external",
"summary": "RHBZ#1815470",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815470"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10673",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10673"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673"
}
],
"release_date": "2020-03-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution"
},
{
"cve": "CVE-2020-13936",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2021-03-10T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1937440"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "velocity: arbitrary code execution when attacker is able to modify templates",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift Container Platform (OCP) openshift-logging/elasticsearch6-rhel8 container does contain a vulnerable version of velocity. The references to the library only occur in the x-pack component which is an enterprise-only feature of Elasticsearch - hence it has been marked as wontfix as this time and may be fixed in a future release. Additionally the hive container only references velocity in the testutils of the code but the code still exists in the container, as such it has been given a Moderate impact.\n\n* Velocity as shipped with Red Hat Enterprise Linux 6 is not affected because it does not contain the vulnerable code.\n\n* Velocity as shipped with Red Hat Enterprise Linux 7 contains a vulnerable version, but it is used as a dependency for IdM/ipa, which does not use the vulnerable functionality. It has been marked as Moderate for this reason.\n\n* Although velocity shipped in Red Hat Enterprise Linux 8\u0027s pki-deps:10.6 for IdM/ipa is a vulnerable version, the vulnerable code is not used by pki. It has been marked as Low for this reason.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-13936"
},
{
"category": "external",
"summary": "RHBZ#1937440",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937440"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-13936",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13936"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13936"
}
],
"release_date": "2021-03-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "velocity: arbitrary code execution when attacker is able to modify templates"
},
{
"cve": "CVE-2021-3717",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"discovery_date": "2021-07-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1991305"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-3717"
},
{
"category": "external",
"summary": "RHBZ#1991305",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991305"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-3717",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3717"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3717",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3717"
}
],
"release_date": "2021-08-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users"
},
{
"cve": "CVE-2021-44228",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2021-12-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2030932"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n\nIn Red Hat OpenShift Logging the vulnerable log4j library is shipped in the Elasticsearch components. Because Elasticsearch is not susceptible to remote code execution with this vulnerability due to use of the Java Security Manager and because access to these components is limited, the impact by this vulnerability is reduced to Moderate.\n\nAs per upstream applications using Log4j 1.x may be impacted by this flaw if their configuration uses JNDI. However, the risk is much lower. This flaw in Log4j 1.x is tracked via https://access.redhat.com/security/cve/CVE-2021-4104 and has been rated as having Moderate security impact.\n\nCodeReady Studio version 12.21.1 was released containing a fix for this vulnerability.\n\nThe following products are NOT affected by this flaw and have been explicitly listed here for the benefit of our customers.\n- Red Hat Enterprise Linux\n- Red Hat Advanced Cluster Management for Kubernetes \n- Red Hat Advanced Cluster Security for Kubernetes\n- Red Hat Ansible Automation Platform (Engine and Tower)\n- Red Hat Certificate System\n- Red Hat Directory Server\n- Red Hat Identity Management\n- Red Hat CloudForms \n- Red Hat Update Infrastructure\n- Red Hat Satellite\n- Red Hat Ceph Storage\n- Red Hat Gluster Storage\n- Red Hat OpenShift Data Foundation\n- Red Hat OpenStack Platform\n- Red Hat Virtualization\n- Red Hat Single Sign-On\n- Red Hat 3scale API Management",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "RHBZ#2030932",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2030932"
},
{
"category": "external",
"summary": "RHSB-2021-009",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2021-009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44228",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44228"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q",
"url": "https://github.com/advisories/GHSA-jfh8-c2jp-5v3q"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.lunasec.io/docs/blog/log4j-zero-day/",
"url": "https://www.lunasec.io/docs/blog/log4j-zero-day/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-10T02:01:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
},
{
"category": "workaround",
"details": "For Log4j versions \u003e=2.10\nset the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true\n\nFor Log4j versions \u003e=2.7 and \u003c=2.14.1\nall PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m\n\nFor Log4j versions \u003e=2.0-beta9 and \u003c=2.10.0\nremove the JndiLookup class from the classpath. For example: \n```\nzip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class\n```\n\nOn OpenShift 4 and in OpenShift Logging, the above mitigation can be applied by following the steps in this article: https://access.redhat.com/solutions/6578421\n\nOn OpenShift 3.11, mitigation to the affected Elasticsearch component can be applied by following the steps in this article: https://access.redhat.com/solutions/6578441",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2021-12-10T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Critical"
}
],
"title": "log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value"
},
{
"cve": "CVE-2021-45046",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2032580"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.16.0. A remote attacker with control over Thread Context Map (MDC) input data could craft malicious input using a JNDI Lookup pattern resulting in remote code execution (RCE) in a limited number of environments.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Although we have matched Apache\u0027s CVSS score, with the exception of the scope metric which will remain unaltered at \"unchanged\"; as we believe code execution would be at the permission levels of the running JVM and not exceeding that of the original CVE-2021-44228 flaw.\n \nWe have given this vulnerability an impact rating of Moderate, this is because of the unlikely nature of log4j lookup mapping values being derived from attacker controlled values. This is not the default configuration for end-applications using log4j 2.x and would require explicit action from a privileged user (a developer or administrator) to access the vulnerability. \nIn certain non-default configurations, it was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was insufficient.\n\nThis issue affects the log4j version between 2.0 and 2.15. Log4j 1.x is NOT impacted by this vulnerability. \n\nPrerequisites to exploit this flaw are :\n\n- A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,\n- A log statement in the endpoint that logs the attacker controlled data.\n- Log4j configuration file should be explicitly configured to use a non-default Pattern Layout with a Context Lookup eg. ($${ctx:loginId}) \n\nIn most cases, the mitigation suggested for CVE-2021-44228 (i.e. to set the system property `log4j2.noFormatMsgLookup` to `true) does NOT mitigate this specific vulnerability. \nLog4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.\n\nFor Elasticsearch, as shipped in OpenShift 3.11, the \"log4j2.formatMsgNoLookups=true\" system property mitigation is sufficient as there are no included non-standard configurations that allow for exploitation:\n\nhttps://github.com/openshift/openshift-ansible/blob/release-3.11/roles/openshift_logging_elasticsearch/templates/log4j2.properties.j2\n\nhttps://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476\n\nFor CodeReady Studio the fix for this flaw is available on CodeReady Studio 12.21.3 and above versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-45046"
},
{
"category": "external",
"summary": "RHBZ#2032580",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2032580"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-45046",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-45046"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45046"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2021-44228",
"url": "https://access.redhat.com/security/cve/CVE-2021-44228"
},
{
"category": "external",
"summary": "https://logging.apache.org/log4j/2.x/security.html",
"url": "https://logging.apache.org/log4j/2.x/security.html"
},
{
"category": "external",
"summary": "https://www.openwall.com/lists/oss-security/2021/12/14/4",
"url": "https://www.openwall.com/lists/oss-security/2021/12/14/4"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2021-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
},
{
"category": "workaround",
"details": "For Log4j versions up to and including 2.15.0, this issue can be mitigated by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class).",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2023-05-01T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern (incomplete fix for CVE-2021-44228)"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-text: variable interpolation RCE"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-02-24T00:08:27+00:00",
"details": "Before applying this update, ensure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-rt-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-services-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-apache-cxf-tools-0:3.1.16-4.redhat_00003.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jackson-databind-0:2.8.11.6-2.SP1_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-jettison-0:1.3.8-2.redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-netty-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-netty-all-0:4.1.63-1.Final_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-atom-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-cdi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-client-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-crypto-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jackson2-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxb-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jaxrs-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jettison-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jose-jwt-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-jsapi-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-json-p-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-multipart-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-spring-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-validator-provider-11-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-resteasy-yaml-provider-0:3.0.27-1.Final_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-velocity-0:1.7.0-3.redhat_00006.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.src",
"7Server-JBEAP-7.1-EUS:eap7-wildfly-modules-0:7.1.9-2.GA_redhat_00002.1.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
}
]
}
RHSA-2023_1043
Vulnerability from csaf_redhat - Published: 2023-03-01 22:02 - Updated: 2024-12-18 00:37Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1043",
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1043.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7",
"tracking": {
"current_release_date": "2024-12-18T00:37:43+00:00",
"generator": {
"date": "2024-12-18T00:37:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1043",
"initial_release_date": "2023-03-01T22:02:40+00:00",
"revision_history": [
{
"date": "2023-03-01T22:02:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T22:02:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:37:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el7sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el7sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el7sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"relates_to_product_reference": "7Server-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server",
"product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"relates_to_product_reference": "7Server-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T22:02:40+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch",
"7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src",
"7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_1044
Vulnerability from csaf_redhat - Published: 2023-03-01 21:45 - Updated: 2024-12-18 00:38Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1044",
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1044.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8",
"tracking": {
"current_release_date": "2024-12-18T00:38:15+00:00",
"generator": {
"date": "2024-12-18T00:38:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1044",
"initial_release_date": "2023-03-01T21:45:12+00:00",
"revision_history": [
{
"date": "2023-03-01T21:45:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:45:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:38:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 8",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el8sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el8sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el8sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"relates_to_product_reference": "8Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023:1044
Vulnerability from csaf_redhat - Published: 2023-03-01 21:45 - Updated: 2025-12-05 06:19Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1044",
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1044.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8",
"tracking": {
"current_release_date": "2025-12-05T06:19:24+00:00",
"generator": {
"date": "2025-12-05T06:19:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2023:1044",
"initial_release_date": "2023-03-01T21:45:12+00:00",
"revision_history": [
{
"date": "2023-03-01T21:45:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:45:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-05T06:19:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 8",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el8sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el8sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el8sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"relates_to_product_reference": "8Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8",
"product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"relates_to_product_reference": "8Base-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices. System monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.\n\nIn Quay IO 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:12+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch",
"8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src",
"8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023:0713
Vulnerability from csaf_redhat - Published: 2023-02-09 11:35 - Updated: 2025-11-21 18:37Summary
Red Hat Security Advisory: Red Hat Data Grid 8.4.1 security update
Notes
Topic
An update for Red Hat Data Grid 8 is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.1 in the Release Notes[3].
Security Fix(es):
* mina-sshd: Java unsafe deserialization vulnerability [jdg-8] (CVE-2022-45047)
* file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop [jdg-8] (CVE-2022-36313)
* loader-utils: loader-utils:Regular expression denial of service [jdg-8] (CVE-2022-37603)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [jdg-8] (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [jdg-8] (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays [jdg-8] (CVE-2022-42004)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.1 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* mina-sshd: Java unsafe deserialization vulnerability [jdg-8] (CVE-2022-45047)\n\n* file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop [jdg-8] (CVE-2022-36313)\n\n* loader-utils: loader-utils:Regular expression denial of service [jdg-8] (CVE-2022-37603)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [jdg-8] (CVE-2022-41881)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [jdg-8] (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays [jdg-8] (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0713",
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches",
"url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2159682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159682"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0713.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Data Grid 8.4.1 security update",
"tracking": {
"current_release_date": "2025-11-21T18:37:40+00:00",
"generator": {
"date": "2025-11-21T18:37:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0713",
"initial_release_date": "2023-02-09T11:35:44+00:00",
"revision_history": [
{
"date": "2023-02-09T11:35:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-09T11:35:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:37:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Data Grid 8.4.1",
"product": {
"name": "Red Hat Data Grid 8.4.1",
"product_id": "Red Hat Data Grid 8.4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Grid"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-36313",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2023-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2159682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the file-type npm package. A malformed MKV file could lead the file type detector to a denial of Service. This issue allows an attacker to input a malicious file and make the server unresponsive.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36313"
},
{
"category": "external",
"summary": "RHBZ#2159682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36313",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36313"
}
],
"release_date": "2022-07-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat Data Grid 8.4.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023:0553
Vulnerability from csaf_redhat - Published: 2023-01-31 13:12 - Updated: 2025-11-21 18:37Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
(CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
(CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
(CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator
(CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
(CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute\n(CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM\nmanipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n(CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy\n(CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability\n(CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of\nService attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute\n(CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator\n(CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n(CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data\n(CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0553",
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-23864",
"url": "https://issues.redhat.com/browse/JBEAP-23864"
},
{
"category": "external",
"summary": "JBEAP-23865",
"url": "https://issues.redhat.com/browse/JBEAP-23865"
},
{
"category": "external",
"summary": "JBEAP-23866",
"url": "https://issues.redhat.com/browse/JBEAP-23866"
},
{
"category": "external",
"summary": "JBEAP-23927",
"url": "https://issues.redhat.com/browse/JBEAP-23927"
},
{
"category": "external",
"summary": "JBEAP-24055",
"url": "https://issues.redhat.com/browse/JBEAP-24055"
},
{
"category": "external",
"summary": "JBEAP-24081",
"url": "https://issues.redhat.com/browse/JBEAP-24081"
},
{
"category": "external",
"summary": "JBEAP-24095",
"url": "https://issues.redhat.com/browse/JBEAP-24095"
},
{
"category": "external",
"summary": "JBEAP-24100",
"url": "https://issues.redhat.com/browse/JBEAP-24100"
},
{
"category": "external",
"summary": "JBEAP-24127",
"url": "https://issues.redhat.com/browse/JBEAP-24127"
},
{
"category": "external",
"summary": "JBEAP-24128",
"url": "https://issues.redhat.com/browse/JBEAP-24128"
},
{
"category": "external",
"summary": "JBEAP-24132",
"url": "https://issues.redhat.com/browse/JBEAP-24132"
},
{
"category": "external",
"summary": "JBEAP-24147",
"url": "https://issues.redhat.com/browse/JBEAP-24147"
},
{
"category": "external",
"summary": "JBEAP-24167",
"url": "https://issues.redhat.com/browse/JBEAP-24167"
},
{
"category": "external",
"summary": "JBEAP-24191",
"url": "https://issues.redhat.com/browse/JBEAP-24191"
},
{
"category": "external",
"summary": "JBEAP-24195",
"url": "https://issues.redhat.com/browse/JBEAP-24195"
},
{
"category": "external",
"summary": "JBEAP-24207",
"url": "https://issues.redhat.com/browse/JBEAP-24207"
},
{
"category": "external",
"summary": "JBEAP-24248",
"url": "https://issues.redhat.com/browse/JBEAP-24248"
},
{
"category": "external",
"summary": "JBEAP-24426",
"url": "https://issues.redhat.com/browse/JBEAP-24426"
},
{
"category": "external",
"summary": "JBEAP-24427",
"url": "https://issues.redhat.com/browse/JBEAP-24427"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0553.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update",
"tracking": {
"current_release_date": "2025-11-21T18:37:17+00:00",
"generator": {
"date": "2025-11-21T18:37:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0553",
"initial_release_date": "2023-01-31T13:12:13+00:00",
"revision_history": [
{
"date": "2023-01-31T13:12:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-31T13:12:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:37:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss EAP 7.4 for RHEL 8",
"product": {
"name": "Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el8eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-11-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1399546"
}
],
"notes": [
{
"category": "description",
"text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting via cross-domain ajax requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-9251"
},
{
"category": "external",
"summary": "RHBZ#1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
}
],
"release_date": "2015-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting via cross-domain ajax requests"
},
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2017-18214",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-03-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1553413"
}
],
"notes": [
{
"category": "description",
"text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-moment: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nIn Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18214"
},
{
"category": "external",
"summary": "RHBZ#1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18214"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214"
}
],
"release_date": "2017-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-moment: Regular expression denial of service"
},
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14041",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601616"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14041"
},
{
"category": "external",
"summary": "RHBZ#1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-8331",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-02-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1686454"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip or popover data-template attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-8331"
},
{
"category": "external",
"summary": "RHBZ#1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331"
}
],
"release_date": "2019-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the tooltip or popover data-template attribute"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices. System monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
}
]
}
RHSA-2023_0556
Vulnerability from csaf_redhat - Published: 2023-01-31 13:18 - Updated: 2024-12-16 02:19Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM\nmanipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of\nService attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0556",
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-23864",
"url": "https://issues.redhat.com/browse/JBEAP-23864"
},
{
"category": "external",
"summary": "JBEAP-23865",
"url": "https://issues.redhat.com/browse/JBEAP-23865"
},
{
"category": "external",
"summary": "JBEAP-23866",
"url": "https://issues.redhat.com/browse/JBEAP-23866"
},
{
"category": "external",
"summary": "JBEAP-24055",
"url": "https://issues.redhat.com/browse/JBEAP-24055"
},
{
"category": "external",
"summary": "JBEAP-24081",
"url": "https://issues.redhat.com/browse/JBEAP-24081"
},
{
"category": "external",
"summary": "JBEAP-24095",
"url": "https://issues.redhat.com/browse/JBEAP-24095"
},
{
"category": "external",
"summary": "JBEAP-24100",
"url": "https://issues.redhat.com/browse/JBEAP-24100"
},
{
"category": "external",
"summary": "JBEAP-24127",
"url": "https://issues.redhat.com/browse/JBEAP-24127"
},
{
"category": "external",
"summary": "JBEAP-24128",
"url": "https://issues.redhat.com/browse/JBEAP-24128"
},
{
"category": "external",
"summary": "JBEAP-24132",
"url": "https://issues.redhat.com/browse/JBEAP-24132"
},
{
"category": "external",
"summary": "JBEAP-24147",
"url": "https://issues.redhat.com/browse/JBEAP-24147"
},
{
"category": "external",
"summary": "JBEAP-24167",
"url": "https://issues.redhat.com/browse/JBEAP-24167"
},
{
"category": "external",
"summary": "JBEAP-24191",
"url": "https://issues.redhat.com/browse/JBEAP-24191"
},
{
"category": "external",
"summary": "JBEAP-24195",
"url": "https://issues.redhat.com/browse/JBEAP-24195"
},
{
"category": "external",
"summary": "JBEAP-24207",
"url": "https://issues.redhat.com/browse/JBEAP-24207"
},
{
"category": "external",
"summary": "JBEAP-24248",
"url": "https://issues.redhat.com/browse/JBEAP-24248"
},
{
"category": "external",
"summary": "JBEAP-24426",
"url": "https://issues.redhat.com/browse/JBEAP-24426"
},
{
"category": "external",
"summary": "JBEAP-24427",
"url": "https://issues.redhat.com/browse/JBEAP-24427"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0556.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update",
"tracking": {
"current_release_date": "2024-12-16T02:19:57+00:00",
"generator": {
"date": "2024-12-16T02:19:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0556",
"initial_release_date": "2023-01-31T13:18:26+00:00",
"revision_history": [
{
"date": "2023-01-31T13:18:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-31T13:18:26+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T02:19:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 7",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7",
"product_id": "Red Hat JBoss Enterprise Application Platform 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-11-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1399546"
}
],
"notes": [
{
"category": "description",
"text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting via cross-domain ajax requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-9251"
},
{
"category": "external",
"summary": "RHBZ#1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
}
],
"release_date": "2015-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting via cross-domain ajax requests"
},
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2017-18214",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-03-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1553413"
}
],
"notes": [
{
"category": "description",
"text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-moment: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18214"
},
{
"category": "external",
"summary": "RHBZ#1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18214"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214"
}
],
"release_date": "2017-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-moment: Regular expression denial of service"
},
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14041",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601616"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14041"
},
{
"category": "external",
"summary": "RHBZ#1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-8331",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1686454"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip or popover data-template attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-8331"
},
{
"category": "external",
"summary": "RHBZ#1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331"
}
],
"release_date": "2019-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the tooltip or popover data-template attribute"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
}
]
}
RHSA-2023_5396
Vulnerability from csaf_redhat - Published: 2023-09-28 11:55 - Updated: 2024-12-17 04:51Summary
Red Hat Security Advisory: Red Hat Data Grid 8.4.4 security update
Notes
Topic
An update for Red Hat Data Grid 8 is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.4 in the Release Notes[3].
Security Fix(es):
* infispan: REST bulk ops don't check permissions (CVE-2023-3628)
* infinispan: Non-admins should not be able to get cache config via REST API (CVE-2023-3629)
* netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462)
* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)
* apache-mina: information exposure in SFTP server implementations (CVE-2023-35887)
* infinispan: circular reference on marshalling leads to DoS (CVE-2023-5236)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.4 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* infispan: REST bulk ops don\u0027t check permissions (CVE-2023-3628)\n\n* infinispan: Non-admins should not be able to get cache config via REST API (CVE-2023-3629)\n\n* netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462)\n\n* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)\n\n* apache-mina: information exposure in SFTP server implementations (CVE-2023-35887)\n\n* infinispan: circular reference on marshalling leads to DoS (CVE-2023-5236)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:5396",
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches",
"url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index"
},
{
"category": "external",
"summary": "2215214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215214"
},
{
"category": "external",
"summary": "2216888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
},
{
"category": "external",
"summary": "2217924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924"
},
{
"category": "external",
"summary": "2217926",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926"
},
{
"category": "external",
"summary": "2240036",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240036"
},
{
"category": "external",
"summary": "2240999",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240999"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_5396.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Data Grid 8.4.4 security update",
"tracking": {
"current_release_date": "2024-12-17T04:51:18+00:00",
"generator": {
"date": "2024-12-17T04:51:18+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:5396",
"initial_release_date": "2023-09-28T11:55:36+00:00",
"revision_history": [
{
"date": "2023-09-28T11:55:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-09-28T11:55:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T04:51:18+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Data Grid 8.4.4",
"product": {
"name": "Red Hat Data Grid 8.4.4",
"product_id": "Red Hat Data Grid 8.4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Grid"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat Data Grid 8.4.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2023-3628",
"cwe": {
"id": "CWE-304",
"name": "Missing Critical Step in Authentication"
},
"discovery_date": "2023-06-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2217924"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Infinispan\u0027s REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "infispan: REST bulk ops don\u0027t check permissions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-3628"
},
{
"category": "external",
"summary": "RHBZ#2217924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-3628",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3628"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628"
}
],
"release_date": "2023-09-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "infispan: REST bulk ops don\u0027t check permissions"
},
{
"cve": "CVE-2023-3629",
"cwe": {
"id": "CWE-304",
"name": "Missing Critical Step in Authentication"
},
"discovery_date": "2023-06-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2217926"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Infinispan\u0027s REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "infinispan: Non-admins should not be able to get cache config via REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-3629"
},
{
"category": "external",
"summary": "RHBZ#2217926",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-3629",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3629"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3629",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3629"
}
],
"release_date": "2023-09-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "infinispan: Non-admins should not be able to get cache config via REST API"
},
{
"cve": "CVE-2023-5236",
"cwe": {
"id": "CWE-1047",
"name": "Modules with Circular Dependencies"
},
"discovery_date": "2023-03-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2240999"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "infinispan: circular reference on marshalling leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-5236"
},
{
"category": "external",
"summary": "RHBZ#2240999",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240999"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-5236",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5236"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-5236",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5236"
}
],
"release_date": "2023-09-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "infinispan: circular reference on marshalling leads to DoS"
},
{
"cve": "CVE-2023-34462",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2216888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: SniHandler 16MB allocation leads to OOM",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-34462"
},
{
"category": "external",
"summary": "RHBZ#2216888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462"
}
],
"release_date": "2023-06-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "workaround",
"details": "Configuration of SniHandler with an idle timeout will mitigate this issue.",
"product_ids": [
"Red Hat Data Grid 8.4.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: SniHandler 16MB allocation leads to OOM"
},
{
"cve": "CVE-2023-35116",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-06-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2215214"
}
],
"notes": [
{
"category": "description",
"text": "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor\u0027s perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via cylic dependencies",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-35116"
},
{
"category": "external",
"summary": "RHBZ#2215214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215214"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-35116",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35116"
}
],
"release_date": "2023-06-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "workaround",
"details": "jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.",
"product_ids": [
"Red Hat Data Grid 8.4.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via cylic dependencies"
},
{
"cve": "CVE-2023-35887",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2023-09-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2240036"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Mina SSHD that could be exploited on certain SFTP servers implemented using the Apache Mina RootedFileSystem. This issue could permit authenticated users to view information outside of their permissions scope.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-mina-sshd: information exposure in SFTP server implementations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-35887"
},
{
"category": "external",
"summary": "RHBZ#2240036",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240036"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-35887",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35887"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-35887",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35887"
}
],
"release_date": "2023-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-mina-sshd: information exposure in SFTP server implementations"
}
]
}
RHSA-2023:5396
Vulnerability from csaf_redhat - Published: 2023-09-28 11:55 - Updated: 2025-11-21 18:45Summary
Red Hat Security Advisory: Red Hat Data Grid 8.4.4 security update
Notes
Topic
An update for Red Hat Data Grid 8 is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.4 in the Release Notes[3].
Security Fix(es):
* infispan: REST bulk ops don't check permissions (CVE-2023-3628)
* infinispan: Non-admins should not be able to get cache config via REST API (CVE-2023-3629)
* netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462)
* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)
* apache-mina: information exposure in SFTP server implementations (CVE-2023-35887)
* infinispan: circular reference on marshalling leads to DoS (CVE-2023-5236)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.4.4 replaces Data Grid 8.4.3 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.4 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* infispan: REST bulk ops don\u0027t check permissions (CVE-2023-3628)\n\n* infinispan: Non-admins should not be able to get cache config via REST API (CVE-2023-3629)\n\n* netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462)\n\n* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)\n\n* apache-mina: information exposure in SFTP server implementations (CVE-2023-35887)\n\n* infinispan: circular reference on marshalling leads to DoS (CVE-2023-5236)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:5396",
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches",
"url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index"
},
{
"category": "external",
"summary": "2215214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215214"
},
{
"category": "external",
"summary": "2216888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
},
{
"category": "external",
"summary": "2217924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924"
},
{
"category": "external",
"summary": "2217926",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926"
},
{
"category": "external",
"summary": "2240036",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240036"
},
{
"category": "external",
"summary": "2240999",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240999"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_5396.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Data Grid 8.4.4 security update",
"tracking": {
"current_release_date": "2025-11-21T18:45:44+00:00",
"generator": {
"date": "2025-11-21T18:45:44+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:5396",
"initial_release_date": "2023-09-28T11:55:36+00:00",
"revision_history": [
{
"date": "2023-09-28T11:55:36+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-09-28T11:55:36+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:45:44+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Data Grid 8.4.4",
"product": {
"name": "Red Hat Data Grid 8.4.4",
"product_id": "Red Hat Data Grid 8.4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Grid"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat Data Grid 8.4.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2023-3628",
"cwe": {
"id": "CWE-304",
"name": "Missing Critical Step in Authentication"
},
"discovery_date": "2023-06-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2217924"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Infinispan\u0027s REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "infispan: REST bulk ops don\u0027t check permissions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-3628"
},
{
"category": "external",
"summary": "RHBZ#2217924",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217924"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-3628",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3628"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3628"
}
],
"release_date": "2023-09-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "infispan: REST bulk ops don\u0027t check permissions"
},
{
"cve": "CVE-2023-3629",
"cwe": {
"id": "CWE-304",
"name": "Missing Critical Step in Authentication"
},
"discovery_date": "2023-06-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2217926"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Infinispan\u0027s REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "infinispan: Non-admins should not be able to get cache config via REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-3629"
},
{
"category": "external",
"summary": "RHBZ#2217926",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-3629",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3629"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-3629",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3629"
}
],
"release_date": "2023-09-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "infinispan: Non-admins should not be able to get cache config via REST API"
},
{
"cve": "CVE-2023-5236",
"discovery_date": "2023-03-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2240999"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "infinispan: circular reference on marshalling leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-5236"
},
{
"category": "external",
"summary": "RHBZ#2240999",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240999"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-5236",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5236"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-5236",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5236"
}
],
"release_date": "2023-09-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "infinispan: circular reference on marshalling leads to DoS"
},
{
"cve": "CVE-2023-34462",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2216888"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Netty\u0027s SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "netty: SniHandler 16MB allocation leads to OOM",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-34462"
},
{
"category": "external",
"summary": "RHBZ#2216888",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2216888"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462"
}
],
"release_date": "2023-06-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "workaround",
"details": "Configuration of SniHandler with an idle timeout will mitigate this issue.",
"product_ids": [
"Red Hat Data Grid 8.4.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "netty: SniHandler 16MB allocation leads to OOM"
},
{
"cve": "CVE-2023-35116",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-06-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2215214"
}
],
"notes": [
{
"category": "description",
"text": "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor\u0027s perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: denial of service via cylic dependencies",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-35116"
},
{
"category": "external",
"summary": "RHBZ#2215214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215214"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-35116",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35116"
}
],
"release_date": "2023-06-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "workaround",
"details": "jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.",
"product_ids": [
"Red Hat Data Grid 8.4.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: denial of service via cylic dependencies"
},
{
"cve": "CVE-2023-35887",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2023-09-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2240036"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Mina SSHD that could be exploited on certain SFTP servers implemented using the Apache Mina RootedFileSystem. This issue could permit authenticated users to view information outside of their permissions scope.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-mina-sshd: information exposure in SFTP server implementations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-35887"
},
{
"category": "external",
"summary": "RHBZ#2240036",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240036"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-35887",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35887"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-35887",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35887"
}
],
"release_date": "2023-07-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-28T11:55:36+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Data Grid 8.4.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-mina-sshd: information exposure in SFTP server implementations"
}
]
}
RHSA-2023_3641
Vulnerability from csaf_redhat - Published: 2023-06-15 15:23 - Updated: 2024-12-16 16:23Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release
Notes
Topic
Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)\n\n* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3641",
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q2"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2129710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129710"
},
{
"category": "external",
"summary": "2134288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134288"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2182788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788"
},
{
"category": "external",
"summary": "2188542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
},
{
"category": "external",
"summary": "2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3641.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release",
"tracking": {
"current_release_date": "2024-12-16T16:23:30+00:00",
"generator": {
"date": "2024-12-16T16:23:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:3641",
"initial_release_date": "2023-06-15T15:23:47+00:00",
"revision_history": [
{
"date": "2023-06-15T15:23:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-06-15T15:23:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T16:23:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHINT Camel-Springboot 3.18.3.P2",
"product": {
"name": "RHINT Camel-Springboot 3.18.3.P2",
"product_id": "RHINT Camel-Springboot 3.18.3.P2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:camel_spring_boot:3.18"
}
}
}
],
"category": "product_family",
"name": "Red Hat Integration"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-38752",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129710"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38752"
},
{
"category": "external",
"summary": "RHBZ#2129710",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129710"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38752",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-40156",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134288"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40156"
},
{
"category": "external",
"summary": "RHBZ#2134288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134288"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40156",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40156"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40156",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40156"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-41854",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2151988"
}
],
"notes": [
{
"category": "description",
"text": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dev-java/snakeyaml: DoS via stack overflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41854"
},
{
"category": "external",
"summary": "RHBZ#2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355"
},
{
"category": "external",
"summary": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355"
}
],
"release_date": "2022-11-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dev-java/snakeyaml: DoS via stack overflow"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"cve": "CVE-2023-1370",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2023-04-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2188542"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json-smart package. This security flaw occurs when reaching a \u2018[\u2018 or \u2018{\u2018 character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1370"
},
{
"category": "external",
"summary": "RHBZ#2188542",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-493p-pfq6-5258",
"url": "https://github.com/advisories/GHSA-493p-pfq6-5258"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
"url": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)"
},
{
"cve": "CVE-2023-1436",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2023-03-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2182788"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: Uncontrolled Recursion in JSONArray",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-1436"
},
{
"category": "external",
"summary": "RHBZ#2182788",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-1436",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1436"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/",
"url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/"
}
],
"release_date": "2023-03-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: Uncontrolled Recursion in JSONArray"
},
{
"cve": "CVE-2023-20883",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-05-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2209342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot\u0027s welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-boot: Spring Boot Welcome Page DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHINT Camel-Springboot 3.18.3.P2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20883"
},
{
"category": "external",
"summary": "RHBZ#2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20883",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883"
}
],
"release_date": "2023-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-06-15T15:23:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHINT Camel-Springboot 3.18.3.P2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHINT Camel-Springboot 3.18.3.P2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-boot: Spring Boot Welcome Page DoS Vulnerability"
}
]
}
RHSA-2023_4983
Vulnerability from csaf_redhat - Published: 2023-09-05 18:37 - Updated: 2024-12-17 22:56Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* loader-utils: regular expression denial of service in interpolateName.js (CVE-2022-37599)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* loader-utils: regular expression denial of service in interpolateName.js (CVE-2022-37599)\n\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* RESTEasy: creation of insecure temp files (CVE-2023-0482)\n\n* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)\n\nFor more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:4983",
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1981527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981527"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2134872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134872"
},
{
"category": "external",
"summary": "2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "2170644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170644"
},
{
"category": "external",
"summary": "2180528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
},
{
"category": "external",
"summary": "2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "RHPAM-4639",
"url": "https://issues.redhat.com/browse/RHPAM-4639"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_4983.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update",
"tracking": {
"current_release_date": "2024-12-17T22:56:41+00:00",
"generator": {
"date": "2024-12-17T22:56:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:4983",
"initial_release_date": "2023-09-05T18:37:03+00:00",
"revision_history": [
{
"date": "2023-09-05T18:37:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-09-05T18:37:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T22:56:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHPAM 7.13.4 async",
"product": {
"name": "RHPAM 7.13.4 async",
"product_id": "RHPAM 7.13.4 async",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-30129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1981527"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-30129"
},
{
"category": "external",
"summary": "RHBZ#1981527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981527"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-30129",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-30129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30129"
}
],
"release_date": "2021-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-3171",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2137645"
}
],
"notes": [
{
"category": "description",
"text": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: timeout in parser leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3171"
},
{
"category": "external",
"summary": "RHBZ#2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
}
],
"release_date": "2022-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: timeout in parser leads to DoS"
},
{
"cve": "CVE-2022-3509",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-12-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184161"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Textformat in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: Textformat parsing issue leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3509"
},
{
"category": "external",
"summary": "RHBZ#2184161",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184161"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509"
}
],
"release_date": "2022-12-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: Textformat parsing issue leads to DoS"
},
{
"cve": "CVE-2022-3510",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-12-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184176"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Message-Type Extensions in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: Message-Type Extensions parsing issue leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3510"
},
{
"category": "external",
"summary": "RHBZ#2184176",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184176"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510"
}
],
"release_date": "2022-12-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: Message-Type Extensions parsing issue leads to DoS"
},
{
"cve": "CVE-2022-4492",
"cwe": {
"id": "CWE-550",
"name": "Server-generated Error Message Containing Sensitive Information"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153260"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Server identity in https connection is not checked by the undertow client",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4492"
},
{
"category": "external",
"summary": "RHBZ#2153260",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492"
}
],
"release_date": "2022-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: Server identity in https connection is not checked by the undertow client"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-37599",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the interpolateName function in interpolateName.js in the webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. This flaw can lead to a regular expression denial of service (ReDoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: regular expression denial of service in interpolateName.js",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container and openshift-logging/logging-view-plugin-rhel8 bundles many nodejs packages as a build time dependencies, including loader-utils package. The vulnerable code is not used hence the impact to OpenShift Logging by this vulnerability is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37599"
},
{
"category": "external",
"summary": "RHBZ#2134872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37599"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37599",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37599"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g"
},
{
"category": "external",
"summary": "https://github.com/webpack/loader-utils/issues/211",
"url": "https://github.com/webpack/loader-utils/issues/211"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"RHPAM 7.13.4 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: regular expression denial of service in interpolateName.js"
},
{
"cve": "CVE-2022-38900",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-02-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170644"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "decode-uri-component: improper input validation resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For OpenShift Container Platform (OCP), Advanced Clusters Management for Kubernetes (ACM) and Advanced Cluster Security (ACS), the NPM decode-uri-component package is only present in source repositories as a development dependency, it is not used in production. Therefore this vulnerability is rated Low for OCP and ACS.\n\nIn Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the decode-uri-component package. \nThe vulnerable code is not used, hence the impact to OpenShift Logging by this vulnerability is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38900"
},
{
"category": "external",
"summary": "RHBZ#2170644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170644"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900"
},
{
"category": "external",
"summary": "https://github.com/SamVerschueren/decode-uri-component/issues/5",
"url": "https://github.com/SamVerschueren/decode-uri-component/issues/5"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq"
}
],
"release_date": "2022-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "decode-uri-component: improper input validation resulting in DoS"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-41854",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2151988"
}
],
"notes": [
{
"category": "description",
"text": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dev-java/snakeyaml: DoS via stack overflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41854"
},
{
"category": "external",
"summary": "RHBZ#2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355"
},
{
"category": "external",
"summary": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355"
}
],
"release_date": "2022-11-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dev-java/snakeyaml: DoS via stack overflow"
},
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"RHPAM 7.13.4 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2023-0482",
"cwe": {
"id": "CWE-378",
"name": "Creation of Temporary File With Insecure Permissions"
},
"discovery_date": "2023-01-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2166004"
}
],
"notes": [
{
"category": "description",
"text": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: creation of insecure temp files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0482"
},
{
"category": "external",
"summary": "RHBZ#2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482"
}
],
"release_date": "2023-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "RESTEasy: creation of insecure temp files"
},
{
"cve": "CVE-2023-20860",
"cwe": {
"id": "CWE-155",
"name": "Improper Neutralization of Wildcards or Matching Symbols"
},
"discovery_date": "2023-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2180528"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20860"
},
{
"category": "external",
"summary": "RHBZ#2180528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20860",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860"
},
{
"category": "external",
"summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
"url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
}
],
"release_date": "2023-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern"
},
{
"cve": "CVE-2023-20861",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2180530"
}
],
"notes": [
{
"category": "description",
"text": "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Spring Expression DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20861"
},
{
"category": "external",
"summary": "RHBZ#2180530",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20861",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20861"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861"
},
{
"category": "external",
"summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
"url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
}
],
"release_date": "2023-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "springframework: Spring Expression DoS Vulnerability"
},
{
"cve": "CVE-2023-20883",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-05-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2209342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot\u0027s welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-boot: Spring Boot Welcome Page DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20883"
},
{
"category": "external",
"summary": "RHBZ#2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20883",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883"
}
],
"release_date": "2023-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-boot: Spring Boot Welcome Page DoS Vulnerability"
},
{
"cve": "CVE-2023-24998",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2172298"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.\r\n\r\nWhile Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "FileUpload: FileUpload DoS with excessive parts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24998"
},
{
"category": "external",
"summary": "RHBZ#2172298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172298"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998"
},
{
"category": "external",
"summary": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5",
"url": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5"
}
],
"release_date": "2023-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "FileUpload: FileUpload DoS with excessive parts"
}
]
}
RHSA-2023_3198
Vulnerability from csaf_redhat - Published: 2023-05-17 17:53 - Updated: 2024-12-17 23:03Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* maven: Block repositories using http by default (CVE-2021-26291)
* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)
* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)
* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)\n\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)\n\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)\n\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n\n* maven: Block repositories using http by default (CVE-2021-26291)\n\n* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)\n\n* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)\n\n* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:3198",
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/4.11/cicd/jenkins/important-changes-to-openshift-jenkins-images.html",
"url": "https://docs.openshift.com/container-platform/4.11/cicd/jenkins/important-changes-to-openshift-jenkins-images.html"
},
{
"category": "external",
"summary": "1955739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739"
},
{
"category": "external",
"summary": "2066479",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479"
},
{
"category": "external",
"summary": "2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2164278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278"
},
{
"category": "external",
"summary": "2170039",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039"
},
{
"category": "external",
"summary": "2170041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041"
},
{
"category": "external",
"summary": "2177632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177632"
},
{
"category": "external",
"summary": "2177634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3198.json"
}
],
"title": "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update",
"tracking": {
"current_release_date": "2024-12-17T23:03:11+00:00",
"generator": {
"date": "2024-12-17T23:03:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:3198",
"initial_release_date": "2023-05-17T17:53:04+00:00",
"revision_history": [
{
"date": "2023-05-17T17:53:04+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-05-17T17:53:04+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T23:03:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product": {
"name": "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:ocp_tools:4.11::el8"
}
}
}
],
"category": "product_family",
"name": "OpenShift Jenkins"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.387.1.1683009763-3.el8.src",
"product": {
"name": "jenkins-0:2.387.1.1683009763-3.el8.src",
"product_id": "jenkins-0:2.387.1.1683009763-3.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.387.1.1683009763-3.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.387.1.1683009763-3.el8.noarch",
"product": {
"name": "jenkins-0:2.387.1.1683009763-3.el8.noarch",
"product_id": "jenkins-0:2.387.1.1683009763-3.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.387.1.1683009763-3.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.387.1.1683009763-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch"
},
"product_reference": "jenkins-0:2.387.1.1683009763-3.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.387.1.1683009763-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
},
"product_reference": "jenkins-0:2.387.1.1683009763-3.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"relates_to_product_reference": "8Base-OCP-Tools-4.11"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8",
"product_id": "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.11.1683009941-1.el8.src",
"relates_to_product_reference": "8Base-OCP-Tools-4.11"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-26291",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1955739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in maven. Repositories that are defined in a dependency\u2019s Project Object Model (pom), which may be unknown to users, are used by default resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "maven: Block repositories using http by default",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-26291"
},
{
"category": "external",
"summary": "RHBZ#1955739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1955739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-26291",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-26291"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26291"
},
{
"category": "external",
"summary": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291",
"url": "https://maven.apache.org/docs/3.8.1/release-notes.html#cve-2021-26291"
}
],
"release_date": "2021-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "workaround",
"details": "To avoid possible man-in-the-middle related attacks with this flaw, ensure any linked repositories in maven POMs use https and not http.",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "maven: Block repositories using http by default"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-29599",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"discovery_date": "2022-03-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066479"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "maven-shared-utils: Command injection via Commandline class",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It\u0027s worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29599"
},
{
"category": "external",
"summary": "RHBZ#2066479",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29599"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599"
}
],
"release_date": "2020-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "maven-shared-utils: Command injection via Commandline class"
},
{
"cve": "CVE-2022-30953",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119646"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30953"
},
{
"category": "external",
"summary": "RHBZ#2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30954",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119647"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: missing permission checks in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30954"
},
{
"category": "external",
"summary": "RHBZ#2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: missing permission checks in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-42889",
"cwe": {
"id": "CWE-1188",
"name": "Initialization of a Resource with an Insecure Default"
},
"discovery_date": "2022-10-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135435"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-text: variable interpolation RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42889"
},
{
"category": "external",
"summary": "RHBZ#2135435",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42889"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
},
{
"category": "external",
"summary": "https://blogs.apache.org/security/entry/cve-2022-42889",
"url": "https://blogs.apache.org/security/entry/cve-2022-42889"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om",
"url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om"
},
{
"category": "external",
"summary": "https://seclists.org/oss-sec/2022/q4/22",
"url": "https://seclists.org/oss-sec/2022/q4/22"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "workaround",
"details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-text: variable interpolation RCE"
},
{
"cve": "CVE-2022-43401",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136381"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43401"
},
{
"category": "external",
"summary": "RHBZ#2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43402",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136379"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43402"
},
{
"category": "external",
"summary": "RHBZ#2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-43403",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136382"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43403"
},
{
"category": "external",
"summary": "RHBZ#2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43403"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43404",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136383"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43404"
},
{
"category": "external",
"summary": "RHBZ#2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43405",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136374"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43405"
},
{
"category": "external",
"summary": "RHBZ#2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43405"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43406",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136370"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43406"
},
{
"category": "external",
"summary": "RHBZ#2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43406"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43407",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136386"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43407"
},
{
"category": "external",
"summary": "RHBZ#2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin"
},
{
"cve": "CVE-2022-43408",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136388"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43408"
},
{
"category": "external",
"summary": "RHBZ#2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin"
},
{
"cve": "CVE-2022-43409",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136391"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43409"
},
{
"category": "external",
"summary": "RHBZ#2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2023-24422",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-01-25T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2164278"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24422"
},
{
"category": "external",
"summary": "RHBZ#2164278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24422",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24422"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016",
"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016"
}
],
"release_date": "2023-01-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2023-25761",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-02-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170039"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins JUnit plugin. The affected versions of the JUnit Plugin do not escape test case class names in JavaScript expressions, resulting in a stored cross-site scripting (XSS) vulnerability. This may allow an attacker to control test case class names in the JUnit resources processed by the plugin.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25761"
},
{
"category": "external",
"summary": "RHBZ#2170039",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170039"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25761",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25761"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25761"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032",
"url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3032"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2023-25762",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-02-15T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170041"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Jenkins pipeline-build-step plugin. Affected versions of the pipeline-build-step plugin do not escape job names in a JavaScript expression used in the Pipeline Snippet Generator. This can result in a stored cross-site scripting (XSS) vulnerability that may allow attackers to control job names.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support, therefore, the OpenShift 3.11 Jenkins component is marked as out of support scope in this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-25762"
},
{
"category": "external",
"summary": "RHBZ#2170041",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170041"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-25762",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-25762"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25762"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019",
"url": "https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-3019"
}
],
"release_date": "2023-02-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin"
},
{
"cve": "CVE-2023-27903",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177632"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI\u2019s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Temporary file parameter created with insecure permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27903"
},
{
"category": "external",
"summary": "RHBZ#2177632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177632"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27903",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27903"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27903",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27903"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Jenkins: Temporary file parameter created with insecure permissions"
},
{
"cve": "CVE-2023-27904",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-03-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2177634"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Jenkins: Information disclosure through error stack traces related to agents",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
],
"known_not_affected": [
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-27904"
},
{
"category": "external",
"summary": "RHBZ#2177634",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27904"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120",
"url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"
}
],
"release_date": "2023-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-05-17T17:53:04+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:3198"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-0:2.387.1.1683009763-3.el8.src",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.noarch",
"8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1683009941-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Jenkins: Information disclosure through error stack traces related to agents"
}
]
}
RHSA-2023:1045
Vulnerability from csaf_redhat - Published: 2023-03-01 21:45 - Updated: 2025-12-05 06:19Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1045",
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1045.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9",
"tracking": {
"current_release_date": "2025-12-05T06:19:27+00:00",
"generator": {
"date": "2025-12-05T06:19:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.13"
}
},
"id": "RHSA-2023:1045",
"initial_release_date": "2023-03-01T21:45:17+00:00",
"revision_history": [
{
"date": "2023-03-01T21:45:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:45:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-12-05T06:19:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7.6 for RHEL 9",
"product": {
"name": "Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el9sso?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el9sso?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el9sso?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src"
},
"product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"relates_to_product_reference": "9Base-RHSSO-7.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9",
"product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
},
"product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"relates_to_product_reference": "9Base-RHSSO-7.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices. System monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "As minimist is an argument parsing module for nodejs, exploitation of this vulnerability requires an attacker to influence which arguments are passed to nodejs when running a script. Red Hat products and services are designed in such a way that gaining this ability is not trivial. Additionally, the impact is limited by only enabling the pollution of functions, and not all generic objects.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.\n\nIn Quay IO 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:45:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch",
"9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src",
"9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_0552
Vulnerability from csaf_redhat - Published: 2023-01-31 13:15 - Updated: 2024-12-16 02:20Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0552",
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-23864",
"url": "https://issues.redhat.com/browse/JBEAP-23864"
},
{
"category": "external",
"summary": "JBEAP-23865",
"url": "https://issues.redhat.com/browse/JBEAP-23865"
},
{
"category": "external",
"summary": "JBEAP-23866",
"url": "https://issues.redhat.com/browse/JBEAP-23866"
},
{
"category": "external",
"summary": "JBEAP-23926",
"url": "https://issues.redhat.com/browse/JBEAP-23926"
},
{
"category": "external",
"summary": "JBEAP-24055",
"url": "https://issues.redhat.com/browse/JBEAP-24055"
},
{
"category": "external",
"summary": "JBEAP-24081",
"url": "https://issues.redhat.com/browse/JBEAP-24081"
},
{
"category": "external",
"summary": "JBEAP-24095",
"url": "https://issues.redhat.com/browse/JBEAP-24095"
},
{
"category": "external",
"summary": "JBEAP-24100",
"url": "https://issues.redhat.com/browse/JBEAP-24100"
},
{
"category": "external",
"summary": "JBEAP-24127",
"url": "https://issues.redhat.com/browse/JBEAP-24127"
},
{
"category": "external",
"summary": "JBEAP-24128",
"url": "https://issues.redhat.com/browse/JBEAP-24128"
},
{
"category": "external",
"summary": "JBEAP-24132",
"url": "https://issues.redhat.com/browse/JBEAP-24132"
},
{
"category": "external",
"summary": "JBEAP-24147",
"url": "https://issues.redhat.com/browse/JBEAP-24147"
},
{
"category": "external",
"summary": "JBEAP-24167",
"url": "https://issues.redhat.com/browse/JBEAP-24167"
},
{
"category": "external",
"summary": "JBEAP-24191",
"url": "https://issues.redhat.com/browse/JBEAP-24191"
},
{
"category": "external",
"summary": "JBEAP-24195",
"url": "https://issues.redhat.com/browse/JBEAP-24195"
},
{
"category": "external",
"summary": "JBEAP-24207",
"url": "https://issues.redhat.com/browse/JBEAP-24207"
},
{
"category": "external",
"summary": "JBEAP-24248",
"url": "https://issues.redhat.com/browse/JBEAP-24248"
},
{
"category": "external",
"summary": "JBEAP-24426",
"url": "https://issues.redhat.com/browse/JBEAP-24426"
},
{
"category": "external",
"summary": "JBEAP-24427",
"url": "https://issues.redhat.com/browse/JBEAP-24427"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0552.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update",
"tracking": {
"current_release_date": "2024-12-16T02:20:15+00:00",
"generator": {
"date": "2024-12-16T02:20:15+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0552",
"initial_release_date": "2023-01-31T13:15:22+00:00",
"revision_history": [
{
"date": "2023-01-31T13:15:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-31T13:15:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T02:20:15+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el7eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-11-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1399546"
}
],
"notes": [
{
"category": "description",
"text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting via cross-domain ajax requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-9251"
},
{
"category": "external",
"summary": "RHBZ#1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
}
],
"release_date": "2015-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting via cross-domain ajax requests"
},
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2017-18214",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-03-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1553413"
}
],
"notes": [
{
"category": "description",
"text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-moment: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18214"
},
{
"category": "external",
"summary": "RHBZ#1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18214"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214"
}
],
"release_date": "2017-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-moment: Regular expression denial of service"
},
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14041",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601616"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14041"
},
{
"category": "external",
"summary": "RHBZ#1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-8331",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-02-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1686454"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip or popover data-template attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-8331"
},
{
"category": "external",
"summary": "RHBZ#1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331"
}
],
"release_date": "2019-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the tooltip or popover data-template attribute"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
}
]
}
RHSA-2023_1049
Vulnerability from csaf_redhat - Published: 2023-03-01 21:58 - Updated: 2024-12-18 00:38Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update
Notes
Topic
A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO (CVE-2022-2237)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO (CVE-2022-2237)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:1049",
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "2097007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
},
{
"category": "external",
"summary": "2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1049.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update",
"tracking": {
"current_release_date": "2024-12-18T00:38:25+00:00",
"generator": {
"date": "2024-12-18T00:38:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:1049",
"initial_release_date": "2023-03-01T21:58:17+00:00",
"revision_history": [
{
"date": "2023-03-01T21:58:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-03-01T21:58:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-18T00:38:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Single Sign-On 7",
"product": {
"name": "Red Hat Single Sign-On 7",
"product_id": "Red Hat Single Sign-On 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Single Sign-On"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2021-35065",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156324"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "glob-parent: Regular Expression Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-35065"
},
{
"category": "external",
"summary": "RHBZ#2156324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065"
},
{
"category": "external",
"summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294",
"url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294"
}
],
"release_date": "2022-12-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "glob-parent: Regular Expression Denial of Service"
},
{
"cve": "CVE-2021-44906",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-03-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2066009"
}
],
"notes": [
{
"category": "description",
"text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "minimist: prototype pollution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-44906"
},
{
"category": "external",
"summary": "RHBZ#2066009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h",
"url": "https://github.com/advisories/GHSA-xvch-5gv4-984h"
}
],
"release_date": "2022-03-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "minimist: prototype pollution"
},
{
"acknowledgments": [
{
"names": [
"Marcus Nilsson"
],
"organization": "usd AG"
}
],
"cve": "CVE-2022-1274",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-04-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2073157"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: HTML injection in execute-actions-email Admin REST API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1274"
},
{
"category": "external",
"summary": "RHBZ#2073157",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1274"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725"
}
],
"release_date": "2023-02-28T18:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: HTML injection in execute-actions-email Admin REST API"
},
{
"acknowledgments": [
{
"names": [
"Grzegorz Tworek"
],
"organization": "SISOFT s.c."
}
],
"cve": "CVE-2022-1438",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2021-12-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2031904"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: XSS on impersonation under specific circumstances",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1438"
},
{
"category": "external",
"summary": "RHBZ#2031904",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1438"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438"
}
],
"release_date": "2023-02-28T18:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: XSS on impersonation under specific circumstances"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"acknowledgments": [
{
"names": [
"Ayta\u00e7 Kal\u0131nc\u0131",
"Ilker Bulgurcu",
"Yasin Y\u0131lmaz"
],
"organization": "NETA\u015e PENTEST TEAM"
}
],
"cve": "CVE-2022-2237",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2022-06-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2097007"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Adapter: Open redirect vulnerability in checkSSO",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "CodeReady Studio is no longer supported. Therefore, this flaw will not be addressed in CodeReady Studio. Please see https://developers.redhat.com/articles/2022/04/18/announcement-red-hat-codeready-studio-reaches-end-life for more information.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2237"
},
{
"category": "external",
"summary": "RHBZ#2097007",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2237",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2237"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2237",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2237"
}
],
"release_date": "2023-03-01T13:57:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Adapter: Open redirect vulnerability in checkSSO"
},
{
"cve": "CVE-2022-2764",
"discovery_date": "2022-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2117506"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2764"
},
{
"category": "external",
"summary": "RHBZ#2117506",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2764"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764"
}
],
"release_date": "2022-08-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations"
},
{
"cve": "CVE-2022-3782",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-10-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2138971"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: path traversal via double URL encoding",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3782"
},
{
"category": "external",
"summary": "RHBZ#2138971",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3782"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: path traversal via double URL encoding"
},
{
"acknowledgments": [
{
"names": [
"Peter Flintholm"
],
"organization": "Trifork"
}
],
"cve": "CVE-2022-3916",
"cwe": {
"id": "CWE-384",
"name": "Session Fixation"
},
"discovery_date": "2022-11-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2141404"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Session takeover with OIDC offline refreshtokens",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"category": "external",
"summary": "RHBZ#2141404",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3916"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
}
],
"release_date": "2022-11-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Session takeover with OIDC offline refreshtokens"
},
{
"cve": "CVE-2022-4137",
"cwe": {
"id": "CWE-81",
"name": "Improper Neutralization of Script in an Error Message Web Page"
},
"discovery_date": "2022-11-25T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148496"
}
],
"notes": [
{
"category": "description",
"text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: reflected XSS attack",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4137"
},
{
"category": "external",
"summary": "RHBZ#2148496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137"
}
],
"release_date": "2023-03-01T13:56:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: reflected XSS attack"
},
{
"cve": "CVE-2022-24785",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-04-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2072009"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Moment.js: Path traversal in moment.locale",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24785"
},
{
"category": "external",
"summary": "RHBZ#2072009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4",
"url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
}
],
"release_date": "2022-04-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "workaround",
"details": "Sanitize the user-provided locale name before passing it to Moment.js.",
"product_ids": [
"Red Hat Single Sign-On 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Moment.js: Path traversal in moment.locale"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-31129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-07-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2105075"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "moment: inefficient parsing algorithm resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31129"
},
{
"category": "external",
"summary": "RHBZ#2105075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129"
},
{
"category": "external",
"summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g",
"url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
}
],
"release_date": "2022-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "moment: inefficient parsing algorithm resulting in DoS"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-38749",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129706"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38749"
},
{
"category": "external",
"summary": "RHBZ#2129706",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode"
},
{
"cve": "CVE-2022-38750",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129707"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38750"
},
{
"category": "external",
"summary": "RHBZ#2129707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject"
},
{
"cve": "CVE-2022-38751",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2129709"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38751"
},
{
"category": "external",
"summary": "RHBZ#2129709",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751"
}
],
"release_date": "2022-09-05T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat Single Sign-On 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46175",
"cwe": {
"id": "CWE-1321",
"name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)"
},
"discovery_date": "2022-12-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2156263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "json5: Prototype Pollution in JSON5 via Parse Method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46175"
},
{
"category": "external",
"summary": "RHBZ#2156263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175"
},
{
"category": "external",
"summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h",
"url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h"
}
],
"release_date": "2022-12-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "json5: Prototype Pollution in JSON5 via Parse Method"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Sourav Kumar"
],
"organization": "https://github.com/souravs17031999",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0091",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Client Registration endpoint does not check token revocation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0091"
},
{
"category": "external",
"summary": "RHBZ#2158585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0091"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091"
},
{
"category": "external",
"summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg"
},
{
"category": "external",
"summary": "https://github.com/keycloak/security/issues/27",
"url": "https://github.com/keycloak/security/issues/27"
}
],
"release_date": "2022-10-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Client Registration endpoint does not check token revocation"
},
{
"acknowledgments": [
{
"names": [
"Jordi Zayuelas i Mu\u00f1oz"
],
"organization": "A1 Digital",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2023-0264",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2023-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160585"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: user impersonation via stolen uuid code",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Single Sign-On 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0264"
},
{
"category": "external",
"summary": "RHBZ#2160585",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0264"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264"
}
],
"release_date": "2023-02-28T18:58:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-01T21:58:17+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat Single Sign-On 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Single Sign-On 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: user impersonation via stolen uuid code"
}
]
}
RHSA-2023_0560
Vulnerability from csaf_redhat - Published: 2023-02-08 18:41 - Updated: 2024-12-16 16:06Summary
Red Hat Security Advisory: OpenShift Container Platform 4.10.51 security update
Notes
Topic
Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:
Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in
Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in
Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* google-oauth-client: missing PKCE support in accordance with the RFC for
OAuth 2.0 for Native Apps can lead to improper authorization
(CVE-2020-7692)
* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be
bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jenkins-plugin/script-security: Whole-script approval in Script Security
Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)
* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin
(CVE-2022-45380)
* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability
in Pipeline Utility Steps Plugin (CVE-2022-45381)
* Jenkins plugin: CSRF vulnerability in Script Security Plugin
(CVE-2022-30946)
* Jenkins plugin: User-scoped credentials exposed to other users by
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin
(CVE-2022-30954)
* jenkins-plugin: Cross-site Request Forgery (CSRF) in
org.jenkins-ci.plugins:git (CVE-2022-36882)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36883)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36884)
* jenkins plugin: Non-constant time webhook signature comparison in GitHub
Plugin (CVE-2022-36885)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be
bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:
Supporting APIs Plugin (CVE-2022-43409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43401)\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:\nGroovy Plugin (CVE-2022-43402)\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43403)\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43404)\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in\nPipeline: Groovy Libraries Plugin (CVE-2022-43405)\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in\nPipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n* google-oauth-client: missing PKCE support in accordance with the RFC for\nOAuth 2.0 for Native Apps can lead to improper authorization\n(CVE-2020-7692)\n* snakeyaml: Denial of Service due to missing nested depth limitation for\ncollections (CVE-2022-25857)\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be\nbypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jenkins-plugin/script-security: Whole-script approval in Script Security\nPlugin vulnerable to SHA-1 collisions (CVE-2022-45379)\n* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin\n(CVE-2022-45380)\n* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability\nin Pipeline Utility Steps Plugin (CVE-2022-45381)\n* Jenkins plugin: CSRF vulnerability in Script Security Plugin\n(CVE-2022-30946)\n* Jenkins plugin: User-scoped credentials exposed to other users by\nPipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin\n(CVE-2022-30954)\n* jenkins-plugin: Cross-site Request Forgery (CSRF) in\norg.jenkins-ci.plugins:git (CVE-2022-36882)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36883)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36884)\n* jenkins plugin: Non-constant time webhook signature comparison in GitHub\nPlugin (CVE-2022-36885)\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be\nbypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:\nSupporting APIs Plugin (CVE-2022-43409)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0560",
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "2143086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086"
},
{
"category": "external",
"summary": "2143089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089"
},
{
"category": "external",
"summary": "2143090",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0560.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.10.51 security update",
"tracking": {
"current_release_date": "2024-12-16T16:06:28+00:00",
"generator": {
"date": "2024-12-16T16:06:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0560",
"initial_release_date": "2023-02-08T18:41:32+00:00",
"revision_history": [
{
"date": "2023-02-08T18:41:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-08T18:41:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T16:06:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.10",
"product": {
"name": "Red Hat OpenShift Container Platform 4.10",
"product_id": "7Server-RH7-RHOSE-4.10",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.10::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.10",
"product": {
"name": "Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.10::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.10.1675144701-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.10.1675144701-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64"
},
"product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le"
},
"product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x"
},
"product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
},
"product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.10"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7692",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2020-07-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856376"
}
],
"notes": [
{
"category": "description",
"text": "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7692"
},
{
"category": "external",
"summary": "RHBZ#1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7692",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7692"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692"
}
],
"release_date": "2020-07-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-30946",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119643"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30946"
},
{
"category": "external",
"summary": "RHBZ#2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2022-30952",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119645"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30952"
},
{
"category": "external",
"summary": "RHBZ#2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30952"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30953",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119646"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30953"
},
{
"category": "external",
"summary": "RHBZ#2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30954",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119647"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: missing permission checks in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30954"
},
{
"category": "external",
"summary": "RHBZ#2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: missing permission checks in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-36882",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36882"
},
{
"category": "external",
"summary": "RHBZ#2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36882",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36882"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git"
},
{
"cve": "CVE-2022-36883",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119656"
}
],
"notes": [
{
"category": "description",
"text": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36883"
},
{
"category": "external",
"summary": "RHBZ#2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36884",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119657"
}
],
"notes": [
{
"category": "description",
"text": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36884"
},
{
"category": "external",
"summary": "RHBZ#2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36884",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36884"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36885",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119658"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Non-constant time webhook signature comparison in GitHub Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36885"
},
{
"category": "external",
"summary": "RHBZ#2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36885",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36885"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Non-constant time webhook signature comparison in GitHub Plugin"
},
{
"cve": "CVE-2022-43401",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136381"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43401"
},
{
"category": "external",
"summary": "RHBZ#2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43402",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136379"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43402"
},
{
"category": "external",
"summary": "RHBZ#2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-43403",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136382"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43403"
},
{
"category": "external",
"summary": "RHBZ#2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43403"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43404",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136383"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43404"
},
{
"category": "external",
"summary": "RHBZ#2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43405",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136374"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43405"
},
{
"category": "external",
"summary": "RHBZ#2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43405"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43406",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136370"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43406"
},
{
"category": "external",
"summary": "RHBZ#2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43406"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43407",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136386"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43407"
},
{
"category": "external",
"summary": "RHBZ#2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin"
},
{
"cve": "CVE-2022-43408",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136388"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43408"
},
{
"category": "external",
"summary": "RHBZ#2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin"
},
{
"cve": "CVE-2022-43409",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136391"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43409"
},
{
"category": "external",
"summary": "RHBZ#2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45379",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143090"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the script-security Jenkins Plugin. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. The affected version of the script-security Plugin stores whole-script approvals as the SHA-1 hash of the approved script.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45379"
},
{
"category": "external",
"summary": "RHBZ#2143090",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45379",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45379"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions"
},
{
"cve": "CVE-2022-45380",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143086"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JUnit Jenkins Plugin. The affected version of the JUnit plugin converts HTTP(S) URLs in test report output to clickable links, which leads to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45380"
},
{
"category": "external",
"summary": "RHBZ#2143086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45380",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45380"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2022-45381",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Pipeline Utility Steps Jenkins Plugin. The affected version of the Pipeline Utility Steps Plugin does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default. This flaw allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence the OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45381"
},
{
"category": "external",
"summary": "RHBZ#2143089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45381",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45381"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin"
}
]
}
RHSA-2023_0074
Vulnerability from csaf_redhat - Published: 2023-01-11 11:29 - Updated: 2024-11-22 21:11Summary
Red Hat Security Advisory: RHV 4.4 SP1 [ovirt-4.5.3-3] security update
Notes
Topic
Updated RHV packages that fix several bugs and add various enhancements are now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.
Security fix(es):
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* isomorphic-git: Directory traversal via a crafted repository (CVE-2021-30483)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* With this release, SELinux rules for the Grafana HTTP port are now properly set up for new remote DWH installations as part of the Red Hat Virtualization Manager engine-setup. (BZ#2126778)
* Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API. In this release, both admin and non-admin users can search for clusters properly using the REST API. (BZ#2144346)
* Previously, stale bitmaps in the base image during a cold or live internal merge caused the operation to fail. In this release, the merge operation succeeds. (BZ#2141371)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated RHV packages that fix several bugs and add various enhancements are now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning.\n\nSecurity fix(es):\n\n* mina-sshd: Java unsafe deserialization vulnerability\u00a0(CVE-2022-45047)\n\n* isomorphic-git: Directory traversal via a crafted repository (CVE-2021-30483)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* With this release, SELinux rules for the Grafana HTTP port are now properly set up for new remote DWH installations as part of the Red Hat Virtualization Manager engine-setup. (BZ#2126778)\n\n* Previously, search conditions were not applied properly when a non-admin user tried to search for Clusters or Data Centers over the REST API. In this release, both admin and non-admin users can search for clusters properly using the REST API. (BZ#2144346)\n\n* Previously, stale bitmaps in the base image during a cold or live internal merge caused the operation to fail. In this release, the merge operation succeeds. (BZ#2141371)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0074",
"url": "https://access.redhat.com/errata/RHSA-2023:0074"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1988539",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1988539"
},
{
"category": "external",
"summary": "2126778",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126778"
},
{
"category": "external",
"summary": "2141371",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141371"
},
{
"category": "external",
"summary": "2144346",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144346"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2152015",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2152015"
},
{
"category": "external",
"summary": "2152845",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2152845"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0074.json"
}
],
"title": "Red Hat Security Advisory: RHV 4.4 SP1 [ovirt-4.5.3-3] security update",
"tracking": {
"current_release_date": "2024-11-22T21:11:29+00:00",
"generator": {
"date": "2024-11-22T21:11:29+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2023:0074",
"initial_release_date": "2023-01-11T11:29:09+00:00",
"revision_history": [
{
"date": "2023-01-11T11:29:09+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-11T11:29:09+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T21:11:29+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product": {
"name": "RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhev_manager:4.4:el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product": {
"name": "Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product": {
"name": "Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.src",
"product": {
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.src",
"product_id": "ovirt-engine-0:4.5.3.5-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine@4.5.3.5-1.el8ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "apache-sshd-1:2.9.2-0.1.el8ev.src",
"product": {
"name": "apache-sshd-1:2.9.2-0.1.el8ev.src",
"product_id": "apache-sshd-1:2.9.2-0.1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-sshd@2.9.2-0.1.el8ev?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"product": {
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"product_id": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.3.7-1.el8ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.src",
"product": {
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.src",
"product_id": "ovirt-web-ui-0:1.9.3-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-web-ui@1.9.3-1.el8ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"product": {
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"product_id": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.16-1.el8ev?arch=src"
}
}
},
{
"category": "product_version",
"name": "vdsm-0:4.50.3.6-1.el8ev.src",
"product": {
"name": "vdsm-0:4.50.3.6-1.el8ev.src",
"product_id": "vdsm-0:4.50.3.6-1.el8ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm@4.50.3.6-1.el8ev?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-backend@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-dbscripts@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-health-check-bundler@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-restapi@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-base@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-cinderlib@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-imageio@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-ovirt-engine-common@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-vmconsole-proxy-helper@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-setup-plugin-websocket-proxy@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-tools@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-tools-backup@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-vmconsole-proxy-helper@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-webadmin-portal@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product_id": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-websocket-proxy@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"product_id": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-ovirt-engine-lib@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhvm-0:4.5.3.5-1.el8ev.noarch",
"product": {
"name": "rhvm-0:4.5.3.5-1.el8ev.noarch",
"product_id": "rhvm-0:4.5.3.5-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhvm@4.5.3.5-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"product": {
"name": "apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"product_id": "apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-sshd@2.9.2-0.1.el8ev?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"product": {
"name": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"product_id": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-sshd-javadoc@2.9.2-0.1.el8ev?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"product": {
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"product_id": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-ui-extensions@1.3.7-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"product": {
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"product_id": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-web-ui@1.9.3-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"product": {
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"product_id": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rhv-log-collector-analyzer@1.0.16-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-api@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-client@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-common@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-cpuflags@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-ethtool-options@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-fcoe@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-localdisk@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-nestedvt@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-openstacknet@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-vhostmd@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-http@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-jsonrpc@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-python@4.50.3.6-1.el8ev?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product": {
"name": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product_id": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-yajsonrpc@4.50.3.6-1.el8ev?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm@4.50.3.6-1.el8ev?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-gluster@4.50.3.6-1.el8ev?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-checkips@4.50.3.6-1.el8ev?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-extra-ipv4-addrs@4.50.3.6-1.el8ev?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"product": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"product_id": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-network@4.50.3.6-1.el8ev?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"product": {
"name": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"product_id": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm@4.50.3.6-1.el8ev?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"product": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"product_id": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-checkips@4.50.3.6-1.el8ev?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"product": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"product_id": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-hook-extra-ipv4-addrs@4.50.3.6-1.el8ev?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"product": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"product_id": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/vdsm-network@4.50.3.6-1.el8ev?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.src as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-api-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-client-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-common-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-http-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-python-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts",
"product_id": "8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Agents-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.src as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-api-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-client-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-common-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-http-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le"
},
"product_reference": "vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64 as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64"
},
"product_reference": "vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-python-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch as a component of Red Hat Virtualization 4 Hypervisor for RHEL 8",
"product_id": "8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch"
},
"product_reference": "vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-Hypervisor-4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-1:2.9.2-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch"
},
"product_reference": "apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-1:2.9.2-0.1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src"
},
"product_reference": "apache-sshd-1:2.9.2-0.1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch"
},
"product_reference": "apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-0:4.5.3.5-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src"
},
"product_reference": "ovirt-engine-0:4.5.3.5-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src"
},
"product_reference": "ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch"
},
"product_reference": "ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-web-ui-0:1.9.3-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src"
},
"product_reference": "ovirt-web-ui-0:1.9.3-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch"
},
"product_reference": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src"
},
"product_reference": "rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"relates_to_product_reference": "8Base-RHV-S-4.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhvm-0:4.5.3.5-1.el8ev.noarch as a component of RHEL-8-RHEV-S-4.4 - Red Hat Virtualization Engine 4.4",
"product_id": "8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
},
"product_reference": "rhvm-0:4.5.3.5-1.el8ev.noarch",
"relates_to_product_reference": "8Base-RHV-S-4.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-30483",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2021-07-30T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1988539"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in isomorphic-git. An attacker could cause a Directory Traversal via a crafted filepath in a repository being cloned.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "isomorphic-git: Directory traversal via a crafted repository",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Virtualization, isomorphic-git is a build time dependency and is not delivered with the product. Therefore impact has been rated Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src"
],
"known_not_affected": [
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-30483"
},
{
"category": "external",
"summary": "RHBZ#1988539",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1988539"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-30483",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30483"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-30483",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30483"
},
{
"category": "external",
"summary": "https://github.com/isomorphic-git/isomorphic-git/pull/1339",
"url": "https://github.com/isomorphic-git/isomorphic-git/pull/1339"
},
{
"category": "external",
"summary": "https://github.com/isomorphic-git/isomorphic-git/releases/tag/v1.8.2",
"url": "https://github.com/isomorphic-git/isomorphic-git/releases/tag/v1.8.2"
},
{
"category": "external",
"summary": "https://vuln.ryotak.me/advisories/28",
"url": "https://vuln.ryotak.me/advisories/28"
}
],
"release_date": "2021-07-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-11T11:29:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0074"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "isomorphic-git: Directory traversal via a crafted repository"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch"
],
"known_not_affected": [
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-11T11:29:09+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0074"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-0:4.5.3.5-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-backend-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-dbscripts-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-health-check-bundler-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-restapi-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-base-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-cinderlib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-imageio-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-ovirt-engine-common-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-setup-plugin-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-tools-backup-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-ui-extensions-0:1.3.7-1.el8ev.src",
"8Base-RHV-S-4.4:ovirt-engine-vmconsole-proxy-helper-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-webadmin-portal-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-engine-websocket-proxy-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.noarch",
"8Base-RHV-S-4.4:ovirt-web-ui-0:1.9.3-1.el8ev.src",
"8Base-RHV-S-4.4:python3-ovirt-engine-lib-0:4.5.3.5-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.noarch",
"8Base-RHV-S-4.4:rhv-log-collector-analyzer-0:1.0.16-1.el8ev.src",
"8Base-RHV-S-4.4:rhvm-0:4.5.3.5-1.el8ev.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Agents-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Agents-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Agents-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Agents-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.src",
"8Base-RHV-Hypervisor-4:vdsm-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-api-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-client-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-common-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-gluster-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-checkips-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-cpuflags-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-ethtool-options-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-hook-extra-ipv4-addrs-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-hook-fcoe-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-localdisk-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-nestedvt-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-openstacknet-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-hook-vhostmd-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-http-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-jsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.ppc64le",
"8Base-RHV-Hypervisor-4:vdsm-network-0:4.50.3.6-1.el8ev.x86_64",
"8Base-RHV-Hypervisor-4:vdsm-python-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-Hypervisor-4:vdsm-yajsonrpc-0:4.50.3.6-1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.noarch",
"8Base-RHV-S-4.4:apache-sshd-1:2.9.2-0.1.el8ev.src",
"8Base-RHV-S-4.4:apache-sshd-javadoc-1:2.9.2-0.1.el8ev.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023_0777
Vulnerability from csaf_redhat - Published: 2023-02-23 00:01 - Updated: 2024-12-17 23:01Summary
Red Hat Security Advisory: OpenShift Container Platform 4.9.56 security update
Notes
Topic
Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.9.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.56. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:0778
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)
* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)
* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)
* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin (CVE-2022-45381)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)
* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jenkins: Observable timing discrepancy allows determining username validity (CVE-2022-34174)
* jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36884)
* jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.9 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.9.56 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.9.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.56. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2023:0778\n\nSecurity Fix(es):\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43401)\n\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin (CVE-2022-43402)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43403)\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin (CVE-2022-43404)\n\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin (CVE-2022-43405)\n\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n\n* google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization (CVE-2020-7692)\n\n* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)\n\n* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2022-45380)\n\n* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin (CVE-2022-45381)\n\n* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)\n\n* Jenkins plugin: CSRF vulnerability in Script Security Plugin (CVE-2022-30946)\n\n* Jenkins plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jenkins: Observable timing discrepancy allows determining username validity (CVE-2022-34174)\n\n* jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git (CVE-2022-36882)\n\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36883)\n\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook (CVE-2022-36884)\n\n* jenkins plugin: Non-constant time webhook signature comparison in GitHub Plugin (CVE-2022-36885)\n\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin (CVE-2022-43409)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.9 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.9/updating/updating-cluster-cli.html",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0777",
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"url": "https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html"
},
{
"category": "external",
"summary": "1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "2116952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116952"
},
{
"category": "external",
"summary": "2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "2119653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119653"
},
{
"category": "external",
"summary": "2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "2143086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086"
},
{
"category": "external",
"summary": "2143089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089"
},
{
"category": "external",
"summary": "2143090",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0777.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.9.56 security update",
"tracking": {
"current_release_date": "2024-12-17T23:01:39+00:00",
"generator": {
"date": "2024-12-17T23:01:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0777",
"initial_release_date": "2023-02-23T00:01:27+00:00",
"revision_history": [
{
"date": "2023-02-23T00:01:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-23T00:01:27+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T23:01:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.9",
"product": {
"name": "Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.9::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.1.1675668150-1.el8.src",
"product": {
"name": "jenkins-0:2.361.1.1675668150-1.el8.src",
"product_id": "jenkins-0:2.361.1.1675668150-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.1.1675668150-1.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-0:2.361.1.1675668150-1.el8.noarch",
"product": {
"name": "jenkins-0:2.361.1.1675668150-1.el8.noarch",
"product_id": "jenkins-0:2.361.1.1675668150-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins@2.361.1.1675668150-1.el8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.1.1675668150-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch"
},
"product_reference": "jenkins-0:2.361.1.1675668150-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-0:2.361.1.1675668150-1.el8.src as a component of Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
},
"product_reference": "jenkins-0:2.361.1.1675668150-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src as a component of Red Hat OpenShift Container Platform 4.9",
"product_id": "8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.9.1675668922-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7692",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2020-07-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856376"
}
],
"notes": [
{
"category": "description",
"text": "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7692"
},
{
"category": "external",
"summary": "RHBZ#1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7692",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7692"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692"
}
],
"release_date": "2020-07-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization"
},
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-2048",
"cwe": {
"id": "CWE-410",
"name": "Insufficient Resource Pool"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116952"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "http2-server: Invalid HTTP/2 requests cause DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-2048"
},
{
"category": "external",
"summary": "RHBZ#2116952",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116952"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-2048",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2048"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2048"
},
{
"category": "external",
"summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j"
}
],
"release_date": "2022-07-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "http2-server: Invalid HTTP/2 requests cause DoS"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-30946",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119643"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30946"
},
{
"category": "external",
"summary": "RHBZ#2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2022-30952",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119645"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30952"
},
{
"category": "external",
"summary": "RHBZ#2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30952"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30953",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119646"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30953"
},
{
"category": "external",
"summary": "RHBZ#2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30954",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119647"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: missing permission checks in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30954"
},
{
"category": "external",
"summary": "RHBZ#2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: missing permission checks in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-34174",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119653"
}
],
"notes": [
{
"category": "description",
"text": "In Jenkins 2.355 and earlier, LTS 2.332.3 and earlier, an observable timing discrepancy on the login form allows distinguishing between login attempts with an invalid username, and login attempts with a valid username and wrong password, when using the Jenkins user database security realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins: Observable timing discrepancy allows determining username validity",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-34174"
},
{
"category": "external",
"summary": "RHBZ#2119653",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119653"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-34174",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34174"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34174"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566",
"url": "https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2566"
}
],
"release_date": "2022-06-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins: Observable timing discrepancy allows determining username validity"
},
{
"cve": "CVE-2022-36882",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36882"
},
{
"category": "external",
"summary": "RHBZ#2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36882",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36882"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git"
},
{
"cve": "CVE-2022-36883",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119656"
}
],
"notes": [
{
"category": "description",
"text": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36883"
},
{
"category": "external",
"summary": "RHBZ#2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36884",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119657"
}
],
"notes": [
{
"category": "description",
"text": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36884"
},
{
"category": "external",
"summary": "RHBZ#2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36884",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36884"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36885",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119658"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Non-constant time webhook signature comparison in GitHub Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36885"
},
{
"category": "external",
"summary": "RHBZ#2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36885",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36885"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Non-constant time webhook signature comparison in GitHub Plugin"
},
{
"cve": "CVE-2022-43401",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136381"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43401"
},
{
"category": "external",
"summary": "RHBZ#2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43402",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136379"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43402"
},
{
"category": "external",
"summary": "RHBZ#2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-43403",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136382"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43403"
},
{
"category": "external",
"summary": "RHBZ#2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43403"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43404",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136383"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43404"
},
{
"category": "external",
"summary": "RHBZ#2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43405",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136374"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43405"
},
{
"category": "external",
"summary": "RHBZ#2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43405"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43406",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136370"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43406"
},
{
"category": "external",
"summary": "RHBZ#2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43406"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43407",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136386"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43407"
},
{
"category": "external",
"summary": "RHBZ#2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin"
},
{
"cve": "CVE-2022-43408",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136388"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43408"
},
{
"category": "external",
"summary": "RHBZ#2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin"
},
{
"cve": "CVE-2022-43409",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136391"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43409"
},
{
"category": "external",
"summary": "RHBZ#2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45379",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143090"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the script-security Jenkins Plugin. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. The affected version of the script-security Plugin stores whole-script approvals as the SHA-1 hash of the approved script.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45379"
},
{
"category": "external",
"summary": "RHBZ#2143090",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45379",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45379"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions"
},
{
"cve": "CVE-2022-45380",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143086"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JUnit Jenkins Plugin. The affected version of the JUnit plugin converts HTTP(S) URLs in test report output to clickable links, which leads to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45380"
},
{
"category": "external",
"summary": "RHBZ#2143086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45380",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45380"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2022-45381",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Pipeline Utility Steps Jenkins Plugin. The affected version of the Pipeline Utility Steps Plugin does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default. This flaw allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence the OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"known_not_affected": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45381"
},
{
"category": "external",
"summary": "RHBZ#2143089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45381",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45381"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-23T00:01:27+00:00",
"details": "For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html",
"product_ids": [
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0777"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-0:2.361.1.1675668150-1.el8.src",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.noarch",
"8Base-RHOSE-4.9:jenkins-2-plugins-0:4.9.1675668922-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin"
}
]
}
RHSA-2023:0554
Vulnerability from csaf_redhat - Published: 2023-01-31 13:15 - Updated: 2025-11-21 18:37Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
(CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
(CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
(CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator
(CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
(CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute\n(CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM\nmanipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n(CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy\n(CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability\n(CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of\nService attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute\n(CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator\n(CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n(CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data\n(CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0554",
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-23864",
"url": "https://issues.redhat.com/browse/JBEAP-23864"
},
{
"category": "external",
"summary": "JBEAP-23865",
"url": "https://issues.redhat.com/browse/JBEAP-23865"
},
{
"category": "external",
"summary": "JBEAP-23866",
"url": "https://issues.redhat.com/browse/JBEAP-23866"
},
{
"category": "external",
"summary": "JBEAP-23928",
"url": "https://issues.redhat.com/browse/JBEAP-23928"
},
{
"category": "external",
"summary": "JBEAP-24055",
"url": "https://issues.redhat.com/browse/JBEAP-24055"
},
{
"category": "external",
"summary": "JBEAP-24081",
"url": "https://issues.redhat.com/browse/JBEAP-24081"
},
{
"category": "external",
"summary": "JBEAP-24095",
"url": "https://issues.redhat.com/browse/JBEAP-24095"
},
{
"category": "external",
"summary": "JBEAP-24100",
"url": "https://issues.redhat.com/browse/JBEAP-24100"
},
{
"category": "external",
"summary": "JBEAP-24127",
"url": "https://issues.redhat.com/browse/JBEAP-24127"
},
{
"category": "external",
"summary": "JBEAP-24128",
"url": "https://issues.redhat.com/browse/JBEAP-24128"
},
{
"category": "external",
"summary": "JBEAP-24132",
"url": "https://issues.redhat.com/browse/JBEAP-24132"
},
{
"category": "external",
"summary": "JBEAP-24147",
"url": "https://issues.redhat.com/browse/JBEAP-24147"
},
{
"category": "external",
"summary": "JBEAP-24167",
"url": "https://issues.redhat.com/browse/JBEAP-24167"
},
{
"category": "external",
"summary": "JBEAP-24191",
"url": "https://issues.redhat.com/browse/JBEAP-24191"
},
{
"category": "external",
"summary": "JBEAP-24195",
"url": "https://issues.redhat.com/browse/JBEAP-24195"
},
{
"category": "external",
"summary": "JBEAP-24207",
"url": "https://issues.redhat.com/browse/JBEAP-24207"
},
{
"category": "external",
"summary": "JBEAP-24248",
"url": "https://issues.redhat.com/browse/JBEAP-24248"
},
{
"category": "external",
"summary": "JBEAP-24426",
"url": "https://issues.redhat.com/browse/JBEAP-24426"
},
{
"category": "external",
"summary": "JBEAP-24427",
"url": "https://issues.redhat.com/browse/JBEAP-24427"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0554.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update",
"tracking": {
"current_release_date": "2025-11-21T18:37:18+00:00",
"generator": {
"date": "2025-11-21T18:37:18+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0554",
"initial_release_date": "2023-01-31T13:15:23+00:00",
"revision_history": [
{
"date": "2023-01-31T13:15:23+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-31T13:15:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:37:18+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss EAP 7.4 for RHEL 9",
"product": {
"name": "Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el9eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el9eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"relates_to_product_reference": "9Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
"product_id": "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src",
"relates_to_product_reference": "9Base-JBEAP-7.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-11-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1399546"
}
],
"notes": [
{
"category": "description",
"text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting via cross-domain ajax requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-9251"
},
{
"category": "external",
"summary": "RHBZ#1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
}
],
"release_date": "2015-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting via cross-domain ajax requests"
},
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2017-18214",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-03-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1553413"
}
],
"notes": [
{
"category": "description",
"text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-moment: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nIn Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18214"
},
{
"category": "external",
"summary": "RHBZ#1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18214"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214"
}
],
"release_date": "2017-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-moment: Regular expression denial of service"
},
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14041",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601616"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14041"
},
{
"category": "external",
"summary": "RHBZ#1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-8331",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-02-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1686454"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip or popover data-template attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-8331"
},
{
"category": "external",
"summary": "RHBZ#1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331"
}
],
"release_date": "2019-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the tooltip or popover data-template attribute"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices. System monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"known_not_affected": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:23+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src",
"9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch",
"9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
}
]
}
RHSA-2023:0560
Vulnerability from csaf_redhat - Published: 2023-02-08 18:41 - Updated: 2025-11-21 18:37Summary
Red Hat Security Advisory: OpenShift Container Platform 4.10.51 security update
Notes
Topic
Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43401)
* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:
Groovy Plugin (CVE-2022-43402)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43403)
* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins
Script Security Plugin (CVE-2022-43404)
* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in
Pipeline: Groovy Libraries Plugin (CVE-2022-43405)
* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in
Pipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)
* google-oauth-client: missing PKCE support in accordance with the RFC for
OAuth 2.0 for Native Apps can lead to improper authorization
(CVE-2020-7692)
* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)
* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be
bypassed in Pipeline: Input Step Plugin (CVE-2022-43407)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jenkins-plugin/script-security: Whole-script approval in Script Security
Plugin vulnerable to SHA-1 collisions (CVE-2022-45379)
* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin
(CVE-2022-45380)
* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability
in Pipeline Utility Steps Plugin (CVE-2022-45381)
* Jenkins plugin: CSRF vulnerability in Script Security Plugin
(CVE-2022-30946)
* Jenkins plugin: User-scoped credentials exposed to other users by
Pipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin
(CVE-2022-30954)
* jenkins-plugin: Cross-site Request Forgery (CSRF) in
org.jenkins-ci.plugins:git (CVE-2022-36882)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36883)
* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook
(CVE-2022-36884)
* jenkins plugin: Non-constant time webhook signature comparison in GitHub
Plugin (CVE-2022-36885)
* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be
bypassed in Pipeline: Stage View Plugin (CVE-2022-43408)
* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:
Supporting APIs Plugin (CVE-2022-43409)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Container Platform release 4.10.51 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43401)\n* jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline:\nGroovy Plugin (CVE-2022-43402)\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43403)\n* jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins\nScript Security Plugin (CVE-2022-43404)\n* jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in\nPipeline: Groovy Libraries Plugin (CVE-2022-43405)\n* jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in\nPipeline: Deprecated Groovy Libraries Plugin (CVE-2022-43406)\n* google-oauth-client: missing PKCE support in accordance with the RFC for\nOAuth 2.0 for Native Apps can lead to improper authorization\n(CVE-2020-7692)\n* snakeyaml: Denial of Service due to missing nested depth limitation for\ncollections (CVE-2022-25857)\n* jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be\nbypassed in Pipeline: Input Step Plugin (CVE-2022-43407)\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jenkins-plugin/script-security: Whole-script approval in Script Security\nPlugin vulnerable to SHA-1 collisions (CVE-2022-45379)\n* jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin\n(CVE-2022-45380)\n* jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability\nin Pipeline Utility Steps Plugin (CVE-2022-45381)\n* Jenkins plugin: CSRF vulnerability in Script Security Plugin\n(CVE-2022-30946)\n* Jenkins plugin: User-scoped credentials exposed to other users by\nPipeline SCM API for Blue Ocean Plugin (CVE-2022-30952)\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin\n(CVE-2022-30954)\n* jenkins-plugin: Cross-site Request Forgery (CSRF) in\norg.jenkins-ci.plugins:git (CVE-2022-36882)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36883)\n* jenkins plugin: Lack of authentication mechanism in Git Plugin webhook\n(CVE-2022-36884)\n* jenkins plugin: Non-constant time webhook signature comparison in GitHub\nPlugin (CVE-2022-36885)\n* jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be\nbypassed in Pipeline: Stage View Plugin (CVE-2022-43408)\n* jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline:\nSupporting APIs Plugin (CVE-2022-43409)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0560",
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "2143086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086"
},
{
"category": "external",
"summary": "2143089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089"
},
{
"category": "external",
"summary": "2143090",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0560.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.10.51 security update",
"tracking": {
"current_release_date": "2025-11-21T18:37:18+00:00",
"generator": {
"date": "2025-11-21T18:37:18+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0560",
"initial_release_date": "2023-02-08T18:41:32+00:00",
"revision_history": [
{
"date": "2023-02-08T18:41:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-08T18:41:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:37:18+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.10",
"product": {
"name": "Red Hat OpenShift Container Platform 4.10",
"product_id": "7Server-RH7-RHOSE-4.10",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.10::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.10",
"product": {
"name": "Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.10::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src",
"product": {
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src",
"product_id": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.10.1675144701-1.el8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_id": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_id": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debugsource@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x"
}
}
},
{
"category": "product_version",
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_id": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-5.rhaos4.10.gitd9dec98.el8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"product": {
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"product_id": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jenkins-2-plugins@4.10.1675144701-1.el8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
},
"product_reference": "cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
},
"product_reference": "cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64"
},
"product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le"
},
"product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x"
},
"product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
},
"product_reference": "cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch"
},
"product_reference": "jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"relates_to_product_reference": "8Base-RHOSE-4.10"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src as a component of Red Hat OpenShift Container Platform 4.10",
"product_id": "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
},
"product_reference": "jenkins-2-plugins-0:4.10.1675144701-1.el8.src",
"relates_to_product_reference": "8Base-RHOSE-4.10"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-7692",
"cwe": {
"id": "CWE-358",
"name": "Improperly Implemented Security Check for Standard"
},
"discovery_date": "2020-07-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1856376"
}
],
"notes": [
{
"category": "description",
"text": "PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-7692"
},
{
"category": "external",
"summary": "RHBZ#1856376",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856376"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-7692",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7692"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7692"
}
],
"release_date": "2020-07-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can lead to improper authorization"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-30946",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119643"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30946"
},
{
"category": "external",
"summary": "RHBZ#2119643",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119643"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30946"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Script Security Plugin"
},
{
"cve": "CVE-2022-30952",
"cwe": {
"id": "CWE-668",
"name": "Exposure of Resource to Wrong Sphere"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119645"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30952"
},
{
"category": "external",
"summary": "RHBZ#2119645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30952",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30952"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30952"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-714"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30953",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119646"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: CSRF vulnerability in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30953"
},
{
"category": "external",
"summary": "RHBZ#2119646",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30953"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: CSRF vulnerability in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-30954",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119647"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: missing permission checks in Blue Ocean Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-30954"
},
{
"category": "external",
"summary": "RHBZ#2119647",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30954"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502",
"url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502"
}
],
"release_date": "2022-05-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: missing permission checks in Blue Ocean Plugin"
},
{
"cve": "CVE-2022-36882",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2022-08-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2116840"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Git Jenkins plugin. The affected versions of the Git Jenkins Plugin allow attackers to trigger the builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36882"
},
{
"category": "external",
"summary": "RHBZ#2116840",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2116840"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36882",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36882"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36882"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-08-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin: Cross-site Request Forgery (CSRF) in org.jenkins-ci.plugins:git"
},
{
"cve": "CVE-2022-36883",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119656"
}
],
"notes": [
{
"category": "description",
"text": "A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36883"
},
{
"category": "external",
"summary": "RHBZ#2119656",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119656"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36883"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36884",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119657"
}
],
"notes": [
{
"category": "description",
"text": "The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Lack of authentication mechanism in Git Plugin webhook",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36884"
},
{
"category": "external",
"summary": "RHBZ#2119657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36884",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36884"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36884"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-284"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Lack of authentication mechanism in Git Plugin webhook"
},
{
"cve": "CVE-2022-36885",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-08-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2119658"
}
],
"notes": [
{
"category": "description",
"text": "Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plugin: Non-constant time webhook signature comparison in GitHub Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36885"
},
{
"category": "external",
"summary": "RHBZ#2119658",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119658"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36885",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36885"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36885"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849",
"url": "https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849"
}
],
"release_date": "2022-07-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "plugin: Non-constant time webhook signature comparison in GitHub Plugin"
},
{
"cve": "CVE-2022-43401",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136381"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43401"
},
{
"category": "external",
"summary": "RHBZ#2136381",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43401",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43401"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43402",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136379"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43402"
},
{
"category": "external",
"summary": "RHBZ#2136379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43402",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43402"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43402"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps: Sandbox bypass vulnerabilities in Pipeline: Groovy Plugin"
},
{
"cve": "CVE-2022-43403",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136382"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43403"
},
{
"category": "external",
"summary": "RHBZ#2136382",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136382"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43403",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43403"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43403"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43404",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136383"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43404"
},
{
"category": "external",
"summary": "RHBZ#2136383",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136383"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43404"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43404"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin"
},
{
"cve": "CVE-2022-43405",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136374"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43405"
},
{
"category": "external",
"summary": "RHBZ#2136374",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136374"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43405",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43405"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43405"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/pipeline-groovy-lib: Sandbox bypass vulnerability in Pipeline: Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43406",
"cwe": {
"id": "CWE-693",
"name": "Protection Mechanism Failure"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136370"
}
],
"notes": [
{
"category": "description",
"text": "A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43406"
},
{
"category": "external",
"summary": "RHBZ#2136370",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136370"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43406",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43406"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43406"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "jenkins-plugin/workflow-cps-global-lib: Sandbox bypass vulnerability in Pipeline: Deprecated Groovy Libraries Plugin"
},
{
"cve": "CVE-2022-43407",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136386"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an unauthenticated attacker to access Jenkins builds, bypassing CSRF protections. This could compromise the integrity, availability, and confidentiality of Jenkins.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43407"
},
{
"category": "external",
"summary": "RHBZ#2136386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43407",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43407"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin"
},
{
"cve": "CVE-2022-43408",
"cwe": {
"id": "CWE-838",
"name": "Inappropriate Encoding for Output Context"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136388"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site request forgery (CSRF) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated attacker to access Jenkins builds, bypassing CSRF protections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43408"
},
{
"category": "external",
"summary": "RHBZ#2136388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136388"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43408",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43408"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43408"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin"
},
{
"cve": "CVE-2022-43409",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-10-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2136391"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability was found in a Jenkins plugin. This issue may allow an authenticated remote attacker to create Pipelines.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-43409"
},
{
"category": "external",
"summary": "RHBZ#2136391",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136391"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-43409",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43409"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43409"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881",
"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2881"
}
],
"release_date": "2022-10-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jenkins-plugin/workflow-support: Stored XSS vulnerability in Pipeline: Supporting APIs Plugin"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45379",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143090"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the script-security Jenkins Plugin. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. The affected version of the script-security Plugin stores whole-script approvals as the SHA-1 hash of the approved script.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45379"
},
{
"category": "external",
"summary": "RHBZ#2143090",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143090"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45379",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45379"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45379"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/script-security: Whole-script approval in Script Security Plugin vulnerable to SHA-1 collisions"
},
{
"cve": "CVE-2022-45380",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143086"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the JUnit Jenkins Plugin. The affected version of the JUnit plugin converts HTTP(S) URLs in test report output to clickable links, which leads to a stored Cross-site scripting (XSS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45380"
},
{
"category": "external",
"summary": "RHBZ#2143086",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143086"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45380",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45380"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45380"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2888"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/JUnit: Stored XSS vulnerability in JUnit Plugin"
},
{
"cve": "CVE-2022-45381",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2022-11-16T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2143089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Pipeline Utility Steps Jenkins Plugin. The affected version of the Pipeline Utility Steps Plugin does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default. This flaw allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence the OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"known_not_affected": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45381"
},
{
"category": "external",
"summary": "RHBZ#2143089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45381",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45381"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45381"
},
{
"category": "external",
"summary": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949",
"url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949"
}
],
"release_date": "2022-11-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-08T18:41:32+00:00",
"details": "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html\n\nBefore applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.src",
"7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el7.x86_64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.src",
"8Base-RHOSE-4.10:cri-o-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.aarch64",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.ppc64le",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.s390x",
"8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-5.rhaos4.10.gitd9dec98.el8.x86_64",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.noarch",
"8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1675144701-1.el8.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin"
}
]
}
RHSA-2023:0556
Vulnerability from csaf_redhat - Published: 2023-01-31 13:18 - Updated: 2025-11-21 18:37Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0556",
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index",
"url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index"
},
{
"category": "external",
"summary": "1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-23864",
"url": "https://issues.redhat.com/browse/JBEAP-23864"
},
{
"category": "external",
"summary": "JBEAP-23865",
"url": "https://issues.redhat.com/browse/JBEAP-23865"
},
{
"category": "external",
"summary": "JBEAP-23866",
"url": "https://issues.redhat.com/browse/JBEAP-23866"
},
{
"category": "external",
"summary": "JBEAP-24055",
"url": "https://issues.redhat.com/browse/JBEAP-24055"
},
{
"category": "external",
"summary": "JBEAP-24081",
"url": "https://issues.redhat.com/browse/JBEAP-24081"
},
{
"category": "external",
"summary": "JBEAP-24095",
"url": "https://issues.redhat.com/browse/JBEAP-24095"
},
{
"category": "external",
"summary": "JBEAP-24100",
"url": "https://issues.redhat.com/browse/JBEAP-24100"
},
{
"category": "external",
"summary": "JBEAP-24127",
"url": "https://issues.redhat.com/browse/JBEAP-24127"
},
{
"category": "external",
"summary": "JBEAP-24128",
"url": "https://issues.redhat.com/browse/JBEAP-24128"
},
{
"category": "external",
"summary": "JBEAP-24132",
"url": "https://issues.redhat.com/browse/JBEAP-24132"
},
{
"category": "external",
"summary": "JBEAP-24147",
"url": "https://issues.redhat.com/browse/JBEAP-24147"
},
{
"category": "external",
"summary": "JBEAP-24167",
"url": "https://issues.redhat.com/browse/JBEAP-24167"
},
{
"category": "external",
"summary": "JBEAP-24191",
"url": "https://issues.redhat.com/browse/JBEAP-24191"
},
{
"category": "external",
"summary": "JBEAP-24195",
"url": "https://issues.redhat.com/browse/JBEAP-24195"
},
{
"category": "external",
"summary": "JBEAP-24207",
"url": "https://issues.redhat.com/browse/JBEAP-24207"
},
{
"category": "external",
"summary": "JBEAP-24248",
"url": "https://issues.redhat.com/browse/JBEAP-24248"
},
{
"category": "external",
"summary": "JBEAP-24426",
"url": "https://issues.redhat.com/browse/JBEAP-24426"
},
{
"category": "external",
"summary": "JBEAP-24427",
"url": "https://issues.redhat.com/browse/JBEAP-24427"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0556.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update",
"tracking": {
"current_release_date": "2025-11-21T18:37:18+00:00",
"generator": {
"date": "2025-11-21T18:37:18+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0556",
"initial_release_date": "2023-01-31T13:18:26+00:00",
"revision_history": [
{
"date": "2023-01-31T13:18:26+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-10-23T23:10:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:37:18+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 7",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7",
"product_id": "Red Hat JBoss Enterprise Application Platform 7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-11-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1399546"
}
],
"notes": [
{
"category": "description",
"text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting via cross-domain ajax requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-9251"
},
{
"category": "external",
"summary": "RHBZ#1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
}
],
"release_date": "2015-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting via cross-domain ajax requests"
},
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2017-18214",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-03-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1553413"
}
],
"notes": [
{
"category": "description",
"text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-moment: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nIn Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18214"
},
{
"category": "external",
"summary": "RHBZ#1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18214"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214"
}
],
"release_date": "2017-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-moment: Regular expression denial of service"
},
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14041",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601616"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14041"
},
{
"category": "external",
"summary": "RHBZ#1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-8331",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1686454"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip or popover data-template attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-8331"
},
{
"category": "external",
"summary": "RHBZ#1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331"
}
],
"release_date": "2019-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the tooltip or popover data-template attribute"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices. System monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46363",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155681"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: directory listing / code exfiltration",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46363"
},
{
"category": "external",
"summary": "RHBZ#2155681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
"url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CXF: directory listing / code exfiltration"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 7"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:18:26+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 7"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 7"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
}
]
}
RHSA-2023_0758
Vulnerability from csaf_redhat - Published: 2023-02-14 12:11 - Updated: 2024-12-17 23:01Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]
* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]
* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]
* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]
* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of\nModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a\ndetailed severity rating, is available for each vulnerability. For more\ninformation, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]\n\n* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]\n\n* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]\n\n* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]\n\n* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0758",
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=2.13.7",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=2.13.7"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2153399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
},
{
"category": "external",
"summary": "2158081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0758.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update",
"tracking": {
"current_release_date": "2024-12-17T23:01:10+00:00",
"generator": {
"date": "2024-12-17T23:01:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0758",
"initial_release_date": "2023-02-14T12:11:49+00:00",
"revision_history": [
{
"date": "2023-02-14T12:11:49+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-14T12:11:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T23:01:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus",
"product": {
"name": "Red Hat build of Quarkus",
"product_id": "Red Hat build of Quarkus",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:2.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-1471",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2150009"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-1471"
},
{
"category": "external",
"summary": "RHBZ#2150009",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
},
{
"category": "external",
"summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
"url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
}
],
"release_date": "2022-10-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-41946",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153399"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn\u0027t make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41946"
},
{
"category": "external",
"summary": "RHBZ#2153399",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41946"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946"
}
],
"release_date": "2022-11-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat build of Quarkus"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Paulo Lopes"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2023-0044",
"discovery_date": "2023-01-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2158081"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0044"
},
{
"category": "external",
"summary": "RHBZ#2158081",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0044",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0044"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0044"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-c57v-hc7m-8px2",
"url": "https://github.com/advisories/GHSA-c57v-hc7m-8px2"
}
],
"release_date": "2023-01-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-14T12:11:49+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
},
{
"category": "workaround",
"details": "This attack can be prevented with the Quarkus CSRF Prevention feature.",
"product_ids": [
"Red Hat build of Quarkus"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure"
}
]
}
RHSA-2022_8957
Vulnerability from csaf_redhat - Published: 2022-12-13 13:20 - Updated: 2024-11-15 13:18Summary
Red Hat Security Advisory: Red Hat build of Quarkus Platform 2.7.6.SP3 and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.7.6.SP3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus
* CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
* CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 2.7.6.SP3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus\n\n* CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE\n\n* CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s)\nlisted in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:8957",
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=redhat.quarkus\u0026version=2.7.6.SP3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=redhat.quarkus\u0026version=2.7.6.SP3"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.7",
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.7"
},
{
"category": "external",
"summary": "2148867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148867"
},
{
"category": "external",
"summary": "2144748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144748"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8957.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus Platform 2.7.6.SP3 and security update",
"tracking": {
"current_release_date": "2024-11-15T13:18:26+00:00",
"generator": {
"date": "2024-11-15T13:18:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:8957",
"initial_release_date": "2022-12-13T13:20:47+00:00",
"revision_history": [
{
"date": "2022-12-13T13:20:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-12-13T13:20:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T13:18:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus Platform 2.7.6.SP3",
"product": {
"name": "Red Hat build of Quarkus Platform 2.7.6.SP3",
"product_id": "Red Hat build of Quarkus Platform 2.7.6.SP3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:2.7"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Joseph Beeton"
],
"organization": "Contrast Security"
}
],
"cve": "CVE-2022-4116",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2022-11-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2144748"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in quarkus. This issue occurs in Dev UI Config Editor, which is vulnerable to drive-by localhost attacks leading to remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4116"
},
{
"category": "external",
"summary": "RHBZ#2144748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144748"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4116",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4116"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4116",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4116"
}
],
"release_date": "2022-11-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-13T13:20:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE"
},
{
"cve": "CVE-2022-4147",
"cwe": {
"id": "CWE-1026",
"name": "CWE-1026"
},
"discovery_date": "2022-11-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148867"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Quarkus. The Quarkus CORS filter allows simple GET and POST requests with an invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest have no event listeners registered on the object returned by the XMLHttpRequest upload property, and have no ReadableStream object used in the request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4147"
},
{
"category": "external",
"summary": "RHBZ#2148867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4147",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4147"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4147",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4147"
}
],
"release_date": "2022-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-13T13:20:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-13T13:20:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023:4983
Vulnerability from csaf_redhat - Published: 2023-09-05 18:37 - Updated: 2025-11-21 18:44Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)
* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* loader-utils: regular expression denial of service in interpolateName.js (CVE-2022-37599)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* RESTEasy: creation of insecure temp files (CVE-2023-0482)
* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)
For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which provides a detailed severity rating, is available for each vulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* apache-bcel: Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900)\n\n* mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* loader-utils: regular expression denial of service in interpolateName.js (CVE-2022-37599)\n\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* RESTEasy: creation of insecure temp files (CVE-2023-0482)\n\n* sshd-core: mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server (CVE-2021-30129)\n\nFor more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:4983",
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1981527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981527"
},
{
"category": "external",
"summary": "2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2134872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134872"
},
{
"category": "external",
"summary": "2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "2170644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170644"
},
{
"category": "external",
"summary": "2180528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
},
{
"category": "external",
"summary": "2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "RHPAM-4639",
"url": "https://issues.redhat.com/browse/RHPAM-4639"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_4983.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update",
"tracking": {
"current_release_date": "2025-11-21T18:44:29+00:00",
"generator": {
"date": "2025-11-21T18:44:29+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:4983",
"initial_release_date": "2023-09-05T18:37:03+00:00",
"revision_history": [
{
"date": "2023-09-05T18:37:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-09-05T18:37:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:44:29+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHPAM 7.13.4 async",
"product": {
"name": "RHPAM 7.13.4 async",
"product_id": "RHPAM 7.13.4 async",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
}
}
}
],
"category": "product_family",
"name": "Red Hat Process Automation Manager"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-30129",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2021-07-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1981527"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-30129"
},
{
"category": "external",
"summary": "RHBZ#1981527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1981527"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-30129",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-30129"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-30129",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30129"
}
],
"release_date": "2021-07-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "mina-sshd-core: Memory leak denial of service in Apache Mina SSHD Server"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-3171",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2137645"
}
],
"notes": [
{
"category": "description",
"text": "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: timeout in parser leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3171"
},
{
"category": "external",
"summary": "RHBZ#2137645",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2137645"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171"
},
{
"category": "external",
"summary": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2",
"url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2"
}
],
"release_date": "2022-10-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: timeout in parser leads to DoS"
},
{
"cve": "CVE-2022-3509",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-12-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184161"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Textformat in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: Textformat parsing issue leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3509"
},
{
"category": "external",
"summary": "RHBZ#2184161",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184161"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509"
}
],
"release_date": "2022-12-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: Textformat parsing issue leads to DoS"
},
{
"cve": "CVE-2022-3510",
"cwe": {
"id": "CWE-915",
"name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes"
},
"discovery_date": "2022-12-15T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2184176"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Message-Type Extensions in protobuf-java core that can lead to a denial of service. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields can cause objects to convert between mutable and immutable forms, resulting in long garbage collection pauses.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "protobuf-java: Message-Type Extensions parsing issue leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3510"
},
{
"category": "external",
"summary": "RHBZ#2184176",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2184176"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510"
}
],
"release_date": "2022-12-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "protobuf-java: Message-Type Extensions parsing issue leads to DoS"
},
{
"cve": "CVE-2022-4492",
"cwe": {
"id": "CWE-550",
"name": "Server-generated Error Message Containing Sensitive Information"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153260"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "undertow: Server identity in https connection is not checked by the undertow client",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4492"
},
{
"category": "external",
"summary": "RHBZ#2153260",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4492",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4492"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492"
}
],
"release_date": "2022-12-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "undertow: Server identity in https connection is not checked by the undertow client"
},
{
"cve": "CVE-2022-25857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-09-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2126789"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-25857"
},
{
"category": "external",
"summary": "RHBZ#2126789",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525"
}
],
"release_date": "2022-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections"
},
{
"cve": "CVE-2022-37599",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134872"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the interpolateName function in interpolateName.js in the webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js. This flaw can lead to a regular expression denial of service (ReDoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: regular expression denial of service in interpolateName.js",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container and openshift-logging/logging-view-plugin-rhel8 bundles many nodejs packages as a build time dependencies, including loader-utils package. The vulnerable code is not used hence the impact to OpenShift Logging by this vulnerability is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37599"
},
{
"category": "external",
"summary": "RHBZ#2134872",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134872"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37599"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37599",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37599"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g",
"url": "https://github.com/advisories/GHSA-hhq3-ff78-jv3g"
},
{
"category": "external",
"summary": "https://github.com/webpack/loader-utils/issues/211",
"url": "https://github.com/webpack/loader-utils/issues/211"
}
],
"release_date": "2022-10-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"RHPAM 7.13.4 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: regular expression denial of service in interpolateName.js"
},
{
"cve": "CVE-2022-38900",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2023-02-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2170644"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in decode-uri-component. This issue occurs due to a specially crafted input, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "decode-uri-component: improper input validation resulting in DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "For OpenShift Container Platform (OCP), Advanced Clusters Management for Kubernetes (ACM) and Advanced Cluster Security (ACS), the NPM decode-uri-component package is only present in source repositories as a development dependency, it is not used in production. Therefore this vulnerability is rated Low for OCP and ACS.\n\nIn Red Hat OpenShift Logging the openshift-logging/kibana6-rhel8 container bundles many nodejs packages as a build time dependencies, including the decode-uri-component package. \nThe vulnerable code is not used, hence the impact to OpenShift Logging by this vulnerability is Low.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-38900"
},
{
"category": "external",
"summary": "RHBZ#2170644",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170644"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-38900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900"
},
{
"category": "external",
"summary": "https://github.com/SamVerschueren/decode-uri-component/issues/5",
"url": "https://github.com/SamVerschueren/decode-uri-component/issues/5"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-w573-4hg7-7wgq",
"url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq"
}
],
"release_date": "2022-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "decode-uri-component: improper input validation resulting in DoS"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-41854",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2151988"
}
],
"notes": [
{
"category": "description",
"text": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dev-java/snakeyaml: DoS via stack overflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41854"
},
{
"category": "external",
"summary": "RHBZ#2151988",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854"
},
{
"category": "external",
"summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355"
},
{
"category": "external",
"summary": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355"
}
],
"release_date": "2022-11-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dev-java/snakeyaml: DoS via stack overflow"
},
{
"cve": "CVE-2022-42920",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2142707"
}
],
"notes": [
{
"category": "description",
"text": "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42920"
},
{
"category": "external",
"summary": "RHBZ#2142707",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2142707"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42920",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42920"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42920"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4",
"url": "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4"
}
],
"release_date": "2022-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"RHPAM 7.13.4 async"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2023-0482",
"cwe": {
"id": "CWE-378",
"name": "Creation of Temporary File With Insecure Permissions"
},
"discovery_date": "2023-01-31T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2166004"
}
],
"notes": [
{
"category": "description",
"text": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "RESTEasy: creation of insecure temp files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-0482"
},
{
"category": "external",
"summary": "RHBZ#2166004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-0482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482"
}
],
"release_date": "2023-01-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "RESTEasy: creation of insecure temp files"
},
{
"cve": "CVE-2023-20860",
"cwe": {
"id": "CWE-155",
"name": "Improper Neutralization of Wildcards or Matching Symbols"
},
"discovery_date": "2023-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2180528"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20860"
},
{
"category": "external",
"summary": "RHBZ#2180528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20860",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860"
},
{
"category": "external",
"summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
"url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
}
],
"release_date": "2023-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern"
},
{
"cve": "CVE-2023-20861",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-03-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2180530"
}
],
"notes": [
{
"category": "description",
"text": "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "springframework: Spring Expression DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20861"
},
{
"category": "external",
"summary": "RHBZ#2180530",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20861",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20861"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861"
},
{
"category": "external",
"summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861",
"url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861"
}
],
"release_date": "2023-03-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "springframework: Spring Expression DoS Vulnerability"
},
{
"cve": "CVE-2023-20883",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-05-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2209342"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot\u0027s welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "spring-boot: Spring Boot Welcome Page DoS Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-20883"
},
{
"category": "external",
"summary": "RHBZ#2209342",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2209342"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-20883",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-20883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20883"
}
],
"release_date": "2023-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "spring-boot: Spring Boot Welcome Page DoS Vulnerability"
},
{
"cve": "CVE-2023-24998",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2023-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2172298"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.\r\n\r\nWhile Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "FileUpload: FileUpload DoS with excessive parts",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"RHPAM 7.13.4 async"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-24998"
},
{
"category": "external",
"summary": "RHBZ#2172298",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2172298"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-24998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998"
},
{
"category": "external",
"summary": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5",
"url": "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5"
}
],
"release_date": "2023-02-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-09-05T18:37:03+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"RHPAM 7.13.4 async"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"RHPAM 7.13.4 async"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "FileUpload: FileUpload DoS with excessive parts"
}
]
}
RHSA-2022:8957
Vulnerability from csaf_redhat - Published: 2022-12-13 13:20 - Updated: 2025-11-21 18:35Summary
Red Hat Security Advisory: Red Hat build of Quarkus Platform 2.7.6.SP3 and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.7.6.SP3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus
* CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
* CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 2.7.6.SP3 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* CVE-2022-4147 quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus\n\n* CVE-2022-4116 quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE\n\n* CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s)\nlisted in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:8957",
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
},
{
"category": "external",
"summary": "https://access.redhat.com/articles/4966181",
"url": "https://access.redhat.com/articles/4966181"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=redhat.quarkus\u0026version=2.7.6.SP3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=redhat.quarkus\u0026version=2.7.6.SP3"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.7",
"url": "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.7"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2144748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144748"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2148867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148867"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_8957.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus Platform 2.7.6.SP3 and security update",
"tracking": {
"current_release_date": "2025-11-21T18:35:38+00:00",
"generator": {
"date": "2025-11-21T18:35:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2022:8957",
"initial_release_date": "2022-12-13T13:20:47+00:00",
"revision_history": [
{
"date": "2022-12-13T13:20:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-12-13T13:20:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:35:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus Platform 2.7.6.SP3",
"product": {
"name": "Red Hat build of Quarkus Platform 2.7.6.SP3",
"product_id": "Red Hat build of Quarkus Platform 2.7.6.SP3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:2.7"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Joseph Beeton"
],
"organization": "Contrast Security"
}
],
"cve": "CVE-2022-4116",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"discovery_date": "2022-11-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2144748"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in quarkus. This issue occurs in Dev UI Config Editor, which is vulnerable to drive-by localhost attacks leading to remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4116"
},
{
"category": "external",
"summary": "RHBZ#2144748",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2144748"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4116",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4116"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4116",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4116"
}
],
"release_date": "2022-11-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-13T13:20:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE"
},
{
"cve": "CVE-2022-4147",
"cwe": {
"id": "CWE-1026",
"name": "CWE-1026"
},
"discovery_date": "2022-11-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2148867"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Quarkus. The Quarkus CORS filter allows simple GET and POST requests with an invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest have no event listeners registered on the object returned by the XMLHttpRequest upload property, and have no ReadableStream object used in the request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-4147"
},
{
"category": "external",
"summary": "RHBZ#2148867",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148867"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-4147",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4147"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4147",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4147"
}
],
"release_date": "2022-11-28T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-13T13:20:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-12-13T13:20:47+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus Platform 2.7.6.SP3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023_0713
Vulnerability from csaf_redhat - Published: 2023-02-09 11:35 - Updated: 2024-12-16 02:04Summary
Red Hat Security Advisory: Red Hat Data Grid 8.4.1 security update
Notes
Topic
An update for Red Hat Data Grid 8 is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.1 in the Release Notes[3].
Security Fix(es):
* mina-sshd: Java unsafe deserialization vulnerability [jdg-8] (CVE-2022-45047)
* file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop [jdg-8] (CVE-2022-36313)
* loader-utils: loader-utils:Regular expression denial of service [jdg-8] (CVE-2022-37603)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [jdg-8] (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [jdg-8] (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays [jdg-8] (CVE-2022-42004)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.4.1 replaces Data Grid 8.4.0 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.1 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* mina-sshd: Java unsafe deserialization vulnerability [jdg-8] (CVE-2022-45047)\n\n* file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop [jdg-8] (CVE-2022-36313)\n\n* loader-utils: loader-utils:Regular expression denial of service [jdg-8] (CVE-2022-37603)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [jdg-8] (CVE-2022-41881)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [jdg-8] (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays [jdg-8] (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0713",
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches",
"url": "https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=70381\u0026product=data.grid\u0026version=8.4\u0026downloadType=patches"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.4/html-single/red_hat_data_grid_8.4_release_notes/index"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "2159682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159682"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0713.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Data Grid 8.4.1 security update",
"tracking": {
"current_release_date": "2024-12-16T02:04:20+00:00",
"generator": {
"date": "2024-12-16T02:04:20+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0713",
"initial_release_date": "2023-02-09T11:35:44+00:00",
"revision_history": [
{
"date": "2023-02-09T11:35:44+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-02-09T11:35:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T02:04:20+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Data Grid 8.4.1",
"product": {
"name": "Red Hat Data Grid 8.4.1",
"product_id": "Red Hat Data Grid 8.4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_grid:8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Grid"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-36313",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2023-01-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2159682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the file-type npm package. A malformed MKV file could lead the file type detector to a denial of Service. This issue allows an attacker to input a malicious file and make the server unresponsive.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-36313"
},
{
"category": "external",
"summary": "RHBZ#2159682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2159682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-36313",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-36313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36313"
}
],
"release_date": "2022-07-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "file-type: a malformed MKV file could cause the file type detector to get caught in an infinite loop"
},
{
"cve": "CVE-2022-37603",
"cwe": {
"id": "CWE-185",
"name": "Incorrect Regular Expression"
},
"discovery_date": "2022-11-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2140597"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "loader-utils: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-37603"
},
{
"category": "external",
"summary": "RHBZ#2140597",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603"
}
],
"release_date": "2022-10-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "loader-utils: Regular expression denial of service"
},
{
"cve": "CVE-2022-41881",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"discovery_date": "2022-12-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2153379"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-41881"
},
{
"category": "external",
"summary": "RHBZ#2153379",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
}
],
"release_date": "2022-12-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Data Grid 8.4.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-09T11:35:44+00:00",
"details": "To install this update, do the following:\n \n1. Download the Data Grid 8.4.1 Server patch from the customer portal[\u00b2].\n2. Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.\n3. Install the Data Grid 8.4.1 Server patch.\n4. Restart Data Grid to ensure the changes take effect.\n\nFor more information about Data Grid 8.4.1, refer to the 8.4.1 Release Notes[\u00b3]",
"product_ids": [
"Red Hat Data Grid 8.4.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"Red Hat Data Grid 8.4.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Data Grid 8.4.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
}
]
}
RHSA-2023:0552
Vulnerability from csaf_redhat - Published: 2023-01-31 13:15 - Updated: 2025-11-21 18:37Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0552",
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-23864",
"url": "https://issues.redhat.com/browse/JBEAP-23864"
},
{
"category": "external",
"summary": "JBEAP-23865",
"url": "https://issues.redhat.com/browse/JBEAP-23865"
},
{
"category": "external",
"summary": "JBEAP-23866",
"url": "https://issues.redhat.com/browse/JBEAP-23866"
},
{
"category": "external",
"summary": "JBEAP-23926",
"url": "https://issues.redhat.com/browse/JBEAP-23926"
},
{
"category": "external",
"summary": "JBEAP-24055",
"url": "https://issues.redhat.com/browse/JBEAP-24055"
},
{
"category": "external",
"summary": "JBEAP-24081",
"url": "https://issues.redhat.com/browse/JBEAP-24081"
},
{
"category": "external",
"summary": "JBEAP-24095",
"url": "https://issues.redhat.com/browse/JBEAP-24095"
},
{
"category": "external",
"summary": "JBEAP-24100",
"url": "https://issues.redhat.com/browse/JBEAP-24100"
},
{
"category": "external",
"summary": "JBEAP-24127",
"url": "https://issues.redhat.com/browse/JBEAP-24127"
},
{
"category": "external",
"summary": "JBEAP-24128",
"url": "https://issues.redhat.com/browse/JBEAP-24128"
},
{
"category": "external",
"summary": "JBEAP-24132",
"url": "https://issues.redhat.com/browse/JBEAP-24132"
},
{
"category": "external",
"summary": "JBEAP-24147",
"url": "https://issues.redhat.com/browse/JBEAP-24147"
},
{
"category": "external",
"summary": "JBEAP-24167",
"url": "https://issues.redhat.com/browse/JBEAP-24167"
},
{
"category": "external",
"summary": "JBEAP-24191",
"url": "https://issues.redhat.com/browse/JBEAP-24191"
},
{
"category": "external",
"summary": "JBEAP-24195",
"url": "https://issues.redhat.com/browse/JBEAP-24195"
},
{
"category": "external",
"summary": "JBEAP-24207",
"url": "https://issues.redhat.com/browse/JBEAP-24207"
},
{
"category": "external",
"summary": "JBEAP-24248",
"url": "https://issues.redhat.com/browse/JBEAP-24248"
},
{
"category": "external",
"summary": "JBEAP-24426",
"url": "https://issues.redhat.com/browse/JBEAP-24426"
},
{
"category": "external",
"summary": "JBEAP-24427",
"url": "https://issues.redhat.com/browse/JBEAP-24427"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0552.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update",
"tracking": {
"current_release_date": "2025-11-21T18:37:17+00:00",
"generator": {
"date": "2025-11-21T18:37:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:0552",
"initial_release_date": "2023-01-31T13:15:22+00:00",
"revision_history": [
{
"date": "2023-01-31T13:15:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-31T13:15:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:37:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el7eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el7eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"relates_to_product_reference": "7Server-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
"product_id": "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src",
"relates_to_product_reference": "7Server-JBEAP-7.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-11-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1399546"
}
],
"notes": [
{
"category": "description",
"text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting via cross-domain ajax requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-9251"
},
{
"category": "external",
"summary": "RHBZ#1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
}
],
"release_date": "2015-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting via cross-domain ajax requests"
},
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2017-18214",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-03-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1553413"
}
],
"notes": [
{
"category": "description",
"text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-moment: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\n\nIn Quay 3.10 and above, no version of affected momentjs is present.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18214"
},
{
"category": "external",
"summary": "RHBZ#1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18214"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214"
}
],
"release_date": "2017-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-moment: Regular expression denial of service"
},
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14041",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601616"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14041"
},
{
"category": "external",
"summary": "RHBZ#1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-8331",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-02-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1686454"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip or popover data-template attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-8331"
},
{
"category": "external",
"summary": "RHBZ#1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331"
}
],
"release_date": "2019-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the tooltip or popover data-template attribute"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. As PCS does not accept untrusted input, the vulnerable code cannot be controlled by an attacker.\n\nMultiple Red Hat offerings use doxygen to build documentation. During this process an affected jquery.js file can be included in the resulting package. The \u0027gcc\u0027 and \u0027tbb\u0027 packages were potentially vulnerable via this method.\n\nOpenShift Container Platform 4 is not affected because even though it uses the \u0027gcc\u0027 component, vulnerable code is limited within the libstdc++-docs rpm package, which is not shipped.\n\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\n\nStatic code analysis controls ensure that security flaws, including XSS vulnerabilities, are detected early in development by scanning code for improper input handling. This prevents vulnerable code from reaching production and encourages our developers to follow secure coding practices. System monitoring controls play a crucial role in detecting and responding to XSS attacks by analyzing logs, monitoring user behavior, and generating alerts for suspicious activity. Meanwhile, AWS WAF (Web Application Firewall) adds an extra layer of defense by filtering and blocking malicious input before it reaches the platform and/or application. Together, these controls create a defense-in-depth approach, reducing the risk of XSS exploitation by preventing, detecting, and mitigating attacks at multiple levels.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2025-01-23T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"known_not_affected": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:15:22+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src",
"7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch",
"7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
}
]
}
RHSA-2023_0553
Vulnerability from csaf_redhat - Published: 2023-01-31 13:12 - Updated: 2024-12-16 02:20Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
(CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
(CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
(CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator
(CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
(CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute\n(CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM\nmanipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n(CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy\n(CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability\n(CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of\nService attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute\n(CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator\n(CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n(CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data\n(CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0553",
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"category": "external",
"summary": "1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "JBEAP-23864",
"url": "https://issues.redhat.com/browse/JBEAP-23864"
},
{
"category": "external",
"summary": "JBEAP-23865",
"url": "https://issues.redhat.com/browse/JBEAP-23865"
},
{
"category": "external",
"summary": "JBEAP-23866",
"url": "https://issues.redhat.com/browse/JBEAP-23866"
},
{
"category": "external",
"summary": "JBEAP-23927",
"url": "https://issues.redhat.com/browse/JBEAP-23927"
},
{
"category": "external",
"summary": "JBEAP-24055",
"url": "https://issues.redhat.com/browse/JBEAP-24055"
},
{
"category": "external",
"summary": "JBEAP-24081",
"url": "https://issues.redhat.com/browse/JBEAP-24081"
},
{
"category": "external",
"summary": "JBEAP-24095",
"url": "https://issues.redhat.com/browse/JBEAP-24095"
},
{
"category": "external",
"summary": "JBEAP-24100",
"url": "https://issues.redhat.com/browse/JBEAP-24100"
},
{
"category": "external",
"summary": "JBEAP-24127",
"url": "https://issues.redhat.com/browse/JBEAP-24127"
},
{
"category": "external",
"summary": "JBEAP-24128",
"url": "https://issues.redhat.com/browse/JBEAP-24128"
},
{
"category": "external",
"summary": "JBEAP-24132",
"url": "https://issues.redhat.com/browse/JBEAP-24132"
},
{
"category": "external",
"summary": "JBEAP-24147",
"url": "https://issues.redhat.com/browse/JBEAP-24147"
},
{
"category": "external",
"summary": "JBEAP-24167",
"url": "https://issues.redhat.com/browse/JBEAP-24167"
},
{
"category": "external",
"summary": "JBEAP-24191",
"url": "https://issues.redhat.com/browse/JBEAP-24191"
},
{
"category": "external",
"summary": "JBEAP-24195",
"url": "https://issues.redhat.com/browse/JBEAP-24195"
},
{
"category": "external",
"summary": "JBEAP-24207",
"url": "https://issues.redhat.com/browse/JBEAP-24207"
},
{
"category": "external",
"summary": "JBEAP-24248",
"url": "https://issues.redhat.com/browse/JBEAP-24248"
},
{
"category": "external",
"summary": "JBEAP-24426",
"url": "https://issues.redhat.com/browse/JBEAP-24426"
},
{
"category": "external",
"summary": "JBEAP-24427",
"url": "https://issues.redhat.com/browse/JBEAP-24427"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0553.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update",
"tracking": {
"current_release_date": "2024-12-16T02:20:24+00:00",
"generator": {
"date": "2024-12-16T02:20:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:0553",
"initial_release_date": "2023-01-31T13:12:13+00:00",
"revision_history": [
{
"date": "2023-01-31T13:12:13+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-31T13:12:13+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-16T02:20:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss EAP 7.4 for RHEL 8",
"product": {
"name": "Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el8eap?arch=src"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el8eap?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"product": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src"
},
"product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch"
},
"product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
},
"product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src"
},
"product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
},
"product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"relates_to_product_reference": "8Base-JBEAP-7.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
"product_id": "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
},
"product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src",
"relates_to_product_reference": "8Base-JBEAP-7.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-11-27T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1399546"
}
],
"notes": [
{
"category": "description",
"text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting via cross-domain ajax requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-9251"
},
{
"category": "external",
"summary": "RHBZ#1399546",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-9251"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
}
],
"release_date": "2015-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting via cross-domain ajax requests"
},
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2017-18214",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2018-03-08T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1553413"
}
],
"notes": [
{
"category": "description",
"text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-moment: Regular expression denial of service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-18214"
},
{
"category": "external",
"summary": "RHBZ#1553413",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-18214"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214"
}
],
"release_date": "2017-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs-moment: Regular expression denial of service"
},
{
"cve": "CVE-2018-14040",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601614"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14040"
},
{
"category": "external",
"summary": "RHBZ#1601614",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14040"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute"
},
{
"cve": "CVE-2018-14041",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601616"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14041"
},
{
"category": "external",
"summary": "RHBZ#1601616",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14041"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy"
},
{
"cve": "CVE-2018-14042",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2018-07-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1601617"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-14042"
},
{
"category": "external",
"summary": "RHBZ#1601617",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14042"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042"
}
],
"release_date": "2018-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip"
},
{
"cve": "CVE-2019-8331",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-02-20T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1686454"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip or popover data-template attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-8331"
},
{
"category": "external",
"summary": "RHBZ#1686454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-8331"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331"
}
],
"release_date": "2019-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "bootstrap: XSS in the tooltip or popover data-template attribute"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
},
{
"cve": "CVE-2020-11022",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-04-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1828406"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11022"
},
{
"category": "external",
"summary": "RHBZ#1828406",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11022"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2",
"url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2"
}
],
"release_date": "2020-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method"
},
{
"cve": "CVE-2020-11023",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2020-06-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1850004"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-11023"
},
{
"category": "external",
"summary": "RHBZ#1850004",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11023"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/",
"url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/"
}
],
"release_date": "2020-04-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods"
},
{
"cve": "CVE-2022-3143",
"cwe": {
"id": "CWE-208",
"name": "Observable Timing Discrepancy"
},
"discovery_date": "2022-09-06T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2124682"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "wildfly-elytron: possible timing attacks via use of unsafe comparator",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-3143"
},
{
"category": "external",
"summary": "RHBZ#2124682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3143"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143"
}
],
"release_date": "2022-09-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "wildfly-elytron: possible timing attacks via use of unsafe comparator"
},
{
"cve": "CVE-2022-40149",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135771"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: parser crash by stackoverflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40149"
},
{
"category": "external",
"summary": "RHBZ#2135771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: parser crash by stackoverflow"
},
{
"cve": "CVE-2022-40150",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2022-10-18T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135770"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: memory exhaustion via user-supplied XML or JSON data",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40150"
},
{
"category": "external",
"summary": "RHBZ#2135770",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150"
},
{
"category": "external",
"summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1",
"url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1"
}
],
"release_date": "2022-09-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "jettison: memory exhaustion via user-supplied XML or JSON data"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-10-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2134291"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-40152"
},
{
"category": "external",
"summary": "RHBZ#2134291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152"
},
{
"category": "external",
"summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
"url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4"
}
],
"release_date": "2022-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks"
},
{
"cve": "CVE-2022-42003",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135244"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42003"
},
{
"category": "external",
"summary": "RHBZ#2135244",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS"
},
{
"cve": "CVE-2022-42004",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-10-17T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2135247"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jackson-databind: use of deeply nested arrays",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-42004"
},
{
"category": "external",
"summary": "RHBZ#2135247",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004"
}
],
"release_date": "2022-10-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jackson-databind: use of deeply nested arrays"
},
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2022-11-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2145194"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "mina-sshd: Java unsafe deserialization vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "RHBZ#2145194",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"category": "external",
"summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"release_date": "2022-11-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
},
{
"category": "workaround",
"details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "mina-sshd: Java unsafe deserialization vulnerability"
},
{
"cve": "CVE-2022-45693",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-12-23T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155970"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"known_not_affected": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-45693"
},
{
"category": "external",
"summary": "RHBZ#2155970",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos"
},
{
"cve": "CVE-2022-46364",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2022-12-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2155682"
}
],
"notes": [
{
"category": "description",
"text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CXF: SSRF Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-46364"
},
{
"category": "external",
"summary": "RHBZ#2155682",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
},
{
"category": "external",
"summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
}
],
"release_date": "2022-12-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T13:12:13+00:00",
"details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src",
"8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch",
"8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CXF: SSRF Vulnerability"
}
]
}
WID-SEC-W-2023-0972
Vulnerability from csaf_certbund - Published: 2023-04-13 22:00 - Updated: 2023-04-13 22:00Summary
IBM Spectrum Scale: Schwachstelle ermöglicht Codeausführung
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM Spectrum Scale ist eine Lösung für das Management großer unstrukturierter Datenmengen.
Angriff
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in IBM Spectrum Scale ausnutzen, um beliebigen Programmcode auszuführen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM Spectrum Scale ist eine L\u00f6sung f\u00fcr das Management gro\u00dfer unstrukturierter Datenmengen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in IBM Spectrum Scale ausnutzen, um beliebigen Programmcode auszuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0972 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0972.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0972 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0972"
},
{
"category": "external",
"summary": "IBM Security Bulletin 6983769 vom 2023-04-14",
"url": "https://www.ibm.com/support/pages/node/6983769"
}
],
"source_lang": "en-US",
"title": "IBM Spectrum Scale: Schwachstelle erm\u00f6glicht Codeausf\u00fchrung",
"tracking": {
"current_release_date": "2023-04-13T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:48:54.055+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-0972",
"initial_release_date": "2023-04-13T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-04-13T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM Spectrum Scale \u003c 5.1.2.9",
"product": {
"name": "IBM Spectrum Scale \u003c 5.1.2.9",
"product_id": "T026088",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:v5.1.2.9"
}
}
},
{
"category": "product_name",
"name": "IBM Spectrum Scale \u003c 5.1.7.0",
"product": {
"name": "IBM Spectrum Scale \u003c 5.1.7.0",
"product_id": "T026659",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:spectrum_scale:v5.1.7.0"
}
}
}
],
"category": "product_name",
"name": "Storage Scale"
}
],
"category": "vendor",
"name": "IBM"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in IBM Spectrum Scale aufgrund einer unsicheren Deserialisierung in der verwendeten \"Apache MINA SSHD\" Komponente. Ein Angreifer kann durch das Senden von speziell gestalteten Eingaben beliebigen Code ausf\u00fchren."
}
],
"release_date": "2023-04-13T22:00:00.000+00:00",
"title": "CVE-2022-45047"
}
]
}
WID-SEC-W-2023-1021
Vulnerability from csaf_certbund - Published: 2023-04-18 22:00 - Updated: 2023-06-29 22:00Summary
Oracle Communications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Communications umfasst branchenspezifische L\u00f6sungen f\u00fcr die Telekommunikationsbranche.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1021 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1021.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1021 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1021"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7008449 vom 2023-06-29",
"url": "https://www.ibm.com/support/pages/node/7008449"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Communications vom 2023-04-18",
"url": "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixCGBU"
}
],
"source_lang": "en-US",
"title": "Oracle Communications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-06-29T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:49:22.512+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1021",
"initial_release_date": "2023-04-18T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-04-18T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-06-29T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM DB2",
"product": {
"name": "IBM DB2",
"product_id": "5104",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:db2:-"
}
}
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Communications 9.1",
"product": {
"name": "Oracle Communications 9.1",
"product_id": "T019868",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:9.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 3.3",
"product": {
"name": "Oracle Communications 3.3",
"product_id": "T020687",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:3.3"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 5.0",
"product": {
"name": "Oracle Communications 5.0",
"product_id": "T021645",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:5.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 12.6.0.0.0",
"product": {
"name": "Oracle Communications 12.6.0.0.0",
"product_id": "T022818",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:12.6.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 7.0.0.0.0",
"product": {
"name": "Oracle Communications 7.0.0.0.0",
"product_id": "T022823",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:7.0.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 8.6.0.0",
"product": {
"name": "Oracle Communications 8.6.0.0",
"product_id": "T024970",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:8.6.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 22.3.0",
"product": {
"name": "Oracle Communications 22.3.0",
"product_id": "T024974",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:22.3.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 22.1.0.0.0",
"product": {
"name": "Oracle Communications 22.1.0.0.0",
"product_id": "T025863",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:22.1.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications \u003c= 22.4.4",
"product": {
"name": "Oracle Communications \u003c= 22.4.4",
"product_id": "T027328",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:22.4.4"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications \u003c= 23.1.1",
"product": {
"name": "Oracle Communications \u003c= 23.1.1",
"product_id": "T027329",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:23.1.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 9.0.0",
"product": {
"name": "Oracle Communications 9.0.0",
"product_id": "T027330",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:9.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 9.0.1",
"product": {
"name": "Oracle Communications 9.0.1",
"product_id": "T027331",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:9.0.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 9.1.1.4.0",
"product": {
"name": "Oracle Communications 9.1.1.4.0",
"product_id": "T027332",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:9.1.1.4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 9.1.1.3.0",
"product": {
"name": "Oracle Communications 9.1.1.3.0",
"product_id": "T027333",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:9.1.1.3.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 9.0.1.6.0",
"product": {
"name": "Oracle Communications 9.0.1.6.0",
"product_id": "T027334",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:9.0.1.6.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 8.45",
"product": {
"name": "Oracle Communications 8.45",
"product_id": "T027335",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:8.45"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 9.15",
"product": {
"name": "Oracle Communications 9.15",
"product_id": "T027336",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:9.15"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 4.0",
"product": {
"name": "Oracle Communications 4.0",
"product_id": "T027337",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Communications 12.6.1.0.0",
"product": {
"name": "Oracle Communications 12.6.1.0.0",
"product_id": "T027338",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:communications:12.6.1.0.0"
}
}
}
],
"category": "product_name",
"name": "Communications"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-28708",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-28708"
},
{
"cve": "CVE-2023-25690",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-25690"
},
{
"cve": "CVE-2023-25613",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-25613"
},
{
"cve": "CVE-2023-25577",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-25577"
},
{
"cve": "CVE-2023-24998",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-23931",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-23931"
},
{
"cve": "CVE-2023-23916",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-23916"
},
{
"cve": "CVE-2023-0361",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-0361"
},
{
"cve": "CVE-2022-47629",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-47629"
},
{
"cve": "CVE-2022-46364",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-46364"
},
{
"cve": "CVE-2022-45143",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-45143"
},
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2022-4415",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-4415"
},
{
"cve": "CVE-2022-43402",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-43402"
},
{
"cve": "CVE-2022-43401",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-43401"
},
{
"cve": "CVE-2022-42898",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-42898"
},
{
"cve": "CVE-2022-42252",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-42252"
},
{
"cve": "CVE-2022-42003",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-41966",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-41966"
},
{
"cve": "CVE-2022-41881",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-41881"
},
{
"cve": "CVE-2022-40304",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-40304"
},
{
"cve": "CVE-2022-40151",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-40151"
},
{
"cve": "CVE-2022-38752",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-38752"
},
{
"cve": "CVE-2022-37865",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-37865"
},
{
"cve": "CVE-2022-37434",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-37434"
},
{
"cve": "CVE-2022-35737",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-35737"
},
{
"cve": "CVE-2022-3171",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-3171"
},
{
"cve": "CVE-2022-31692",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-31692"
},
{
"cve": "CVE-2022-31630",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-31630"
},
{
"cve": "CVE-2022-31129",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-31129"
},
{
"cve": "CVE-2022-31123",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-31123"
},
{
"cve": "CVE-2022-28199",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-28199"
},
{
"cve": "CVE-2022-25315",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-25315"
},
{
"cve": "CVE-2022-23491",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-23491"
},
{
"cve": "CVE-2022-1471",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-1471"
},
{
"cve": "CVE-2022-1292",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-1292"
},
{
"cve": "CVE-2021-46848",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-46848"
},
{
"cve": "CVE-2021-37519",
"notes": [
{
"category": "description",
"text": "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027330",
"T022818",
"T020687",
"T022823",
"T024974",
"T019868",
"T021645",
"5104",
"T027337",
"T024970",
"T027338",
"T027335",
"T025863",
"T027336",
"T027333",
"T027334",
"T027331",
"T027332"
],
"last_affected": [
"T027328",
"T027329"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-37519"
}
]
}
WID-SEC-W-2023-2518
Vulnerability from csaf_certbund - Published: 2023-09-28 22:00 - Updated: 2024-07-01 22:00Summary
Red Hat JBoss Data Grid: Mehre Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat JBoss Data Grid ist eine verteilte In-Memory-Datenbank für den schnellen Zugriff auf große Datenvolumen und Skalierbarkeit.
Angriff
Ein entfernter anonymer Angreifer kann eine Schwachstelle in Red Hat JBoss Data Grid ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat JBoss Data Grid ist eine verteilte In-Memory-Datenbank f\u00fcr den schnellen Zugriff auf gro\u00dfe Datenvolumen und Skalierbarkeit.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter anonymer Angreifer kann eine Schwachstelle in Red Hat JBoss Data Grid ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen oder vertrauliche Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-2518 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2518.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-2518 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2518"
},
{
"category": "external",
"summary": "NetApp Security Advisory NTAP-20240125-0004 vom 2024-01-25",
"url": "https://security.netapp.com/advisory/ntap-20240125-0004/"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:0148 vom 2024-01-10",
"url": "https://access.redhat.com/errata/RHSA-2024:0148"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:1192 vom 2024-03-06",
"url": "https://access.redhat.com/errata/RHSA-2024:1192"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:1193 vom 2024-03-06",
"url": "https://access.redhat.com/errata/RHSA-2024:1193"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:1194 vom 2024-03-06",
"url": "https://access.redhat.com/errata/RHSA-2024:1194"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7108821 vom 2024-01-17",
"url": "https://www.ibm.com/support/pages/node/7108821"
},
{
"category": "external",
"summary": "Red Hat Security Update vom 2023-09-28",
"url": "https://access.redhat.com/errata/RHSA-2023:5396"
},
{
"category": "external",
"summary": "Proof of Concept (PoC) f\u00fcr CVE-2023-35116",
"url": "https://github.com/FasterXML/jackson-databind/issues/3972"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:5484 vom 2023-10-05",
"url": "https://access.redhat.com/errata/RHSA-2023:5484"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:5488 vom 2023-10-05",
"url": "https://access.redhat.com/errata/RHSA-2023:5488"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:5486 vom 2023-10-06",
"url": "https://access.redhat.com/errata/RHSA-2023:5486"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:5485 vom 2023-10-06",
"url": "https://access.redhat.com/errata/RHSA-2023:5485"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:5946 vom 2023-10-20",
"url": "https://access.redhat.com/errata/RHSA-2023:5946"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7641 vom 2023-12-05",
"url": "https://access.redhat.com/errata/RHSA-2023:7641"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7637 vom 2023-12-05",
"url": "https://access.redhat.com/errata/RHSA-2023:7637"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7638 vom 2023-12-05",
"url": "https://access.redhat.com/errata/RHSA-2023:7638"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7639 vom 2023-12-05",
"url": "https://access.redhat.com/errata/RHSA-2023:7639"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7653 vom 2023-12-06",
"url": "https://access.redhat.com/errata/RHSA-2023:7653"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7705 vom 2023-12-08",
"url": "https://access.redhat.com/errata/RHSA-2023:7705"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:7697 vom 2023-12-07",
"url": "https://access.redhat.com/errata/RHSA-2023:7697"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2024-134 vom 2024-07-02",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-134/index.html"
}
],
"source_lang": "en-US",
"title": "Red Hat JBoss Data Grid: Mehre Schwachstellen",
"tracking": {
"current_release_date": "2024-07-01T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:59:14.735+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-2518",
"initial_release_date": "2023-09-28T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-09-28T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-10-05T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-10-19T22:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-12-04T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-12-05T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-12-07T23:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-01-10T23:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-01-17T23:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von IBM aufgenommen"
},
{
"date": "2024-01-25T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von NetApp aufgenommen"
},
{
"date": "2024-03-06T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-07-01T22:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von HITACHI aufgenommen"
}
],
"status": "final",
"version": "11"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T017562",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "10.0.0.0-10.0.6.1",
"product": {
"name": "IBM Security Verify Access 10.0.0.0-10.0.6.1",
"product_id": "T031895",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:security_verify_access:10.0.0.0_-_10.0.6.1"
}
}
}
],
"category": "product_name",
"name": "Security Verify Access"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "NetApp ActiveIQ Unified Manager",
"product": {
"name": "NetApp ActiveIQ Unified Manager",
"product_id": "T016960",
"product_identification_helper": {
"cpe": "cpe:/a:netapp:active_iq_unified_manager:-"
}
}
}
],
"category": "vendor",
"name": "NetApp"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version",
"name": "Camel Extensions for Quarkus 1",
"product": {
"name": "Red Hat Integration Camel Extensions for Quarkus 1",
"product_id": "T026453",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:integration:camel_extensions_for_quarkus_1"
}
}
},
{
"category": "product_version",
"name": "Service Registry 1",
"product": {
"name": "Red Hat Integration Service Registry 1",
"product_id": "T031465",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:integration:service_registry_1"
}
}
},
{
"category": "product_version",
"name": "Camel K 1",
"product": {
"name": "Red Hat Integration Camel K 1",
"product_id": "T031972",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:integration:camel_k_1"
}
}
}
],
"category": "product_name",
"name": "Integration"
},
{
"branches": [
{
"category": "product_version",
"name": "Clients 3",
"product": {
"name": "Red Hat JBoss A-MQ Clients 3",
"product_id": "T031509",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:clients_3"
}
}
}
],
"category": "product_name",
"name": "JBoss A-MQ"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c8.4.4",
"product": {
"name": "Red Hat JBoss Data Grid \u003c8.4.4",
"product_id": "T030159"
}
}
],
"category": "product_name",
"name": "JBoss Data Grid"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c8.0.1",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform \u003c8.0.1",
"product_id": "T033272"
}
}
],
"category": "product_name",
"name": "JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Red Hat JBoss Data Grid. Diese Fehler bestehen in den Komponenten jackson-databind, netty, infinispan und apache-mina-sshd. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T031465",
"T031895",
"T031972",
"67646",
"T033272",
"T016960",
"T031509",
"T017562",
"T026453"
]
},
"release_date": "2023-09-28T22:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2023-34462",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Red Hat JBoss Data Grid. Diese Fehler bestehen in den Komponenten jackson-databind, netty, infinispan und apache-mina-sshd. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T031465",
"T031895",
"T031972",
"67646",
"T033272",
"T016960",
"T031509",
"T017562",
"T026453"
]
},
"release_date": "2023-09-28T22:00:00.000+00:00",
"title": "CVE-2023-34462"
},
{
"cve": "CVE-2023-35116",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Red Hat JBoss Data Grid. Diese Fehler bestehen in den Komponenten jackson-databind, netty, infinispan und apache-mina-sshd. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T031465",
"T031895",
"T031972",
"67646",
"T033272",
"T016960",
"T031509",
"T017562",
"T026453"
]
},
"release_date": "2023-09-28T22:00:00.000+00:00",
"title": "CVE-2023-35116"
},
{
"cve": "CVE-2023-35887",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Red Hat JBoss Data Grid. Diese Fehler bestehen in den Komponenten jackson-databind, netty, infinispan und apache-mina-sshd. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T031465",
"T031895",
"T031972",
"67646",
"T033272",
"T016960",
"T031509",
"T017562",
"T026453"
]
},
"release_date": "2023-09-28T22:00:00.000+00:00",
"title": "CVE-2023-35887"
},
{
"cve": "CVE-2023-3628",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Red Hat JBoss Data Grid. Diese Fehler bestehen in den Komponenten jackson-databind, netty, infinispan und apache-mina-sshd. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T031465",
"T031895",
"T031972",
"67646",
"T033272",
"T016960",
"T031509",
"T017562",
"T026453"
]
},
"release_date": "2023-09-28T22:00:00.000+00:00",
"title": "CVE-2023-3628"
},
{
"cve": "CVE-2023-3629",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Red Hat JBoss Data Grid. Diese Fehler bestehen in den Komponenten jackson-databind, netty, infinispan und apache-mina-sshd. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T031465",
"T031895",
"T031972",
"67646",
"T033272",
"T016960",
"T031509",
"T017562",
"T026453"
]
},
"release_date": "2023-09-28T22:00:00.000+00:00",
"title": "CVE-2023-3629"
},
{
"cve": "CVE-2023-5236",
"notes": [
{
"category": "description",
"text": "Es bestehen mehrere Schwachstellen in Red Hat JBoss Data Grid. Diese Fehler bestehen in den Komponenten jackson-databind, netty, infinispan und apache-mina-sshd. Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T031465",
"T031895",
"T031972",
"67646",
"T033272",
"T016960",
"T031509",
"T017562",
"T026453"
]
},
"release_date": "2023-09-28T22:00:00.000+00:00",
"title": "CVE-2023-5236"
}
]
}
WID-SEC-W-2023-0239
Vulnerability from csaf_certbund - Published: 2023-01-31 23:00 - Updated: 2025-05-04 22:00Summary
Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um beliebigen Programmcode auszuführen, ein Cross-Site-Scritping-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "JBoss Enterprise Application Platform ist eine skalierbare Plattform f\u00fcr Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0239 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0239.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0239 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0239"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0552 vom 2023-01-31",
"url": "https://access.redhat.com/errata/RHSA-2023:0552"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0553 vom 2023-01-31",
"url": "https://access.redhat.com/errata/RHSA-2023:0553"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0554 vom 2023-01-31",
"url": "https://access.redhat.com/errata/RHSA-2023:0554"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0556 vom 2023-01-31",
"url": "https://access.redhat.com/errata/RHSA-2023:0556"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0560 vom 2023-02-08",
"url": "https://access.redhat.com/errata/RHSA-2023:0560"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0713 vom 2023-02-09",
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1044 vom 2023-03-02",
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1043 vom 2023-03-02",
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1049 vom 2023-03-02",
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1047 vom 2023-03-02",
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:1045 vom 2023-03-02",
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"category": "external",
"summary": "F5 Security Advisory K48382137 vom 2023-04-21",
"url": "https://my.f5.com/manage/s/article/K48382137"
},
{
"category": "external",
"summary": "F5 Security Advisory K05380109 vom 2023-04-20",
"url": "https://my.f5.com/manage/s/article/K05380109"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3223 vom 2023-05-18",
"url": "https://access.redhat.com/errata/RHSA-2023:3223"
},
{
"category": "external",
"summary": "Hitachi Software Vulnerability Information hitachi-sec-2023-116 vom 2023-05-23",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-116/index.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:4983 vom 2023-09-05",
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2023-143 vom 2023-10-03",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-143/index.html"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23",
"url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-="
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:1027 vom 2024-02-28",
"url": "https://access.redhat.com/errata/RHSA-2024:1027"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:1746 vom 2025-02-24",
"url": "https://access.redhat.com/errata/RHSA-2025:1746"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:1747 vom 2025-02-24",
"url": "https://access.redhat.com/errata/RHSA-2025:1747"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2025:4437 vom 2025-05-05",
"url": "https://access.redhat.com/errata/RHSA-2025:4437"
}
],
"source_lang": "en-US",
"title": "Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-05-04T22:00:00.000+00:00",
"generator": {
"date": "2025-05-05T08:09:19.043+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2023-0239",
"initial_release_date": "2023-01-31T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-01-31T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-02-08T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-02-09T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-03-01T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-04-20T22:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von F5 aufgenommen"
},
{
"date": "2023-05-18T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-05-22T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2023-09-05T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-10-03T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2023-12-26T23:00:00.000+00:00",
"number": "10",
"summary": "Neue Updates von Dell aufgenommen"
},
{
"date": "2024-02-28T23:00:00.000+00:00",
"number": "11",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-02-23T23:00:00.000+00:00",
"number": "12",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2025-05-04T22:00:00.000+00:00",
"number": "13",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "13"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "F5 BIG-IP",
"product": {
"name": "F5 BIG-IP",
"product_id": "T001663",
"product_identification_helper": {
"cpe": "cpe:/a:f5:big-ip:-"
}
}
}
],
"category": "vendor",
"name": "F5"
},
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T017562",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
},
{
"category": "product_version_range",
"name": "\u003cCommon Services 10.9.3-00",
"product": {
"name": "Hitachi Ops Center \u003cCommon Services 10.9.3-00",
"product_id": "T030195"
}
},
{
"category": "product_version",
"name": "Common Services 10.9.3-00",
"product": {
"name": "Hitachi Ops Center Common Services 10.9.3-00",
"product_id": "T030195-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:common_services_10.9.3-00"
}
}
}
],
"category": "product_name",
"name": "Ops Center"
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "Streams \u003c2.4.0",
"product": {
"name": "Red Hat JBoss A-MQ Streams \u003c2.4.0",
"product_id": "T027764"
}
},
{
"category": "product_version",
"name": "Streams 2.4.0",
"product": {
"name": "Red Hat JBoss A-MQ Streams 2.4.0",
"product_id": "T027764-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:streams_2.4.0"
}
}
}
],
"category": "product_name",
"name": "JBoss A-MQ"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c7.4.9",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform \u003c7.4.9",
"product_id": "T026073"
}
},
{
"category": "product_version",
"name": "7.4.9",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.4.9",
"product_id": "T026073-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4.9"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.3.12",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform \u003c7.3.12",
"product_id": "T041369"
}
},
{
"category": "product_version",
"name": "7.3.12",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.3.12",
"product_id": "T041369-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3.12"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.1.9",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform \u003c7.1.9",
"product_id": "T041370"
}
},
{
"category": "product_version",
"name": "7.1.9",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.1.9",
"product_id": "T041370-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1.9"
}
}
},
{
"category": "product_version_range",
"name": "\u003c7.3.13",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform \u003c7.3.13",
"product_id": "T043288"
}
},
{
"category": "product_version",
"name": "7.3.13",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 7.3.13",
"product_id": "T043288-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3.13"
}
}
}
],
"category": "product_name",
"name": "JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "container platform 4.0.51",
"product": {
"name": "Red Hat OpenShift container platform 4.0.51",
"product_id": "T026183",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:container_platform_4.0.51"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-9251",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2015-9251"
},
{
"cve": "CVE-2016-10735",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2016-10735"
},
{
"cve": "CVE-2017-18214",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2017-18214"
},
{
"cve": "CVE-2018-14040",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2018-14040"
},
{
"cve": "CVE-2018-14041",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2018-14041"
},
{
"cve": "CVE-2018-14042",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2018-14042"
},
{
"cve": "CVE-2019-11358",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2019-11358"
},
{
"cve": "CVE-2019-8331",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2019-8331"
},
{
"cve": "CVE-2020-11022",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2020-11022"
},
{
"cve": "CVE-2020-11023",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2020-11023"
},
{
"cve": "CVE-2022-3143",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-3143"
},
{
"cve": "CVE-2022-40149",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-40149"
},
{
"cve": "CVE-2022-40150",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-40150"
},
{
"cve": "CVE-2022-40152",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-40152"
},
{
"cve": "CVE-2022-42003",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-42004",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-42004"
},
{
"cve": "CVE-2022-45047",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2022-45693",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-45693"
},
{
"cve": "CVE-2022-46364",
"product_status": {
"known_affected": [
"T026183",
"T026073",
"T041370",
"67646",
"T001663",
"T027764",
"T041369",
"T030195",
"T017562",
"T043288"
]
},
"release_date": "2023-01-31T23:00:00.000+00:00",
"title": "CVE-2022-46364"
}
]
}
WID-SEC-W-2022-2302
Vulnerability from csaf_certbund - Published: 2022-12-13 23:00 - Updated: 2024-12-17 23:00Summary
Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um beliebigen Programmcode auszuführen und Sicherheitsmaßnahmen zu umgehen.
Betroffene Betriebssysteme
- Linux
- UNIX
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "JBoss Enterprise Application Platform ist eine skalierbare Plattform f\u00fcr Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um beliebigen Programmcode auszuf\u00fchren und Sicherheitsma\u00dfnahmen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-2302 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2302.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-2302 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2302"
},
{
"category": "external",
"summary": "Red Hat Security Advisory - RHSA-2022:8957 vom 2022-12-13",
"url": "https://access.redhat.com/errata/RHSA-2022:8957"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2022:9023 vom 2022-12-14",
"url": "https://access.redhat.com/errata/RHSA-2022:9023"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0074 vom 2023-01-11",
"url": "https://access.redhat.com/errata/RHSA-2023:0074"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0713 vom 2023-02-09",
"url": "https://access.redhat.com/errata/RHSA-2023:0713"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0758 vom 2023-02-14",
"url": "https://access.redhat.com/errata/RHSA-2023:0758"
},
{
"category": "external",
"summary": "Hitachi Software Vulnerability Information hitachi-sec-2023-116 vom 2023-05-23",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-116/index.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:3641 vom 2023-06-15",
"url": "https://access.redhat.com/errata/RHSA-2023:3641"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:4983 vom 2023-09-05",
"url": "https://access.redhat.com/errata/RHSA-2023:4983"
},
{
"category": "external",
"summary": "Hitachi Vulnerability Information HITACHI-SEC-2024-150 vom 2024-12-17",
"url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-150/index.html"
}
],
"source_lang": "en-US",
"title": "Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-12-17T23:00:00.000+00:00",
"generator": {
"date": "2024-12-18T10:29:18.340+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.10"
}
},
"id": "WID-SEC-W-2022-2302",
"initial_release_date": "2022-12-13T23:00:00.000+00:00",
"revision_history": [
{
"date": "2022-12-13T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2022-12-14T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-01-11T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-02-09T23:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-02-14T23:00:00.000+00:00",
"number": "5",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-05-22T22:00:00.000+00:00",
"number": "6",
"summary": "Neue Updates von HITACHI aufgenommen"
},
{
"date": "2023-06-15T22:00:00.000+00:00",
"number": "7",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2023-09-05T22:00:00.000+00:00",
"number": "8",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-12-17T23:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von HITACHI aufgenommen"
}
],
"status": "final",
"version": "9"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T017562",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
},
{
"category": "product_name",
"name": "Hitachi Ops Center",
"product": {
"name": "Hitachi Ops Center",
"product_id": "T038840",
"product_identification_helper": {
"cpe": "cpe:/a:hitachi:ops_center:-"
}
}
}
],
"category": "product_name",
"name": "Ops Center"
}
],
"category": "vendor",
"name": "Hitachi"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "Quarkus \u003c2.7.6.SP3",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform Quarkus \u003c2.7.6.SP3",
"product_id": "T025576"
}
},
{
"category": "product_version",
"name": "Quarkus 2.7.6.SP3",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform Quarkus 2.7.6.SP3",
"product_id": "T025576-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:quarkus__2.7.6.sp3"
}
}
}
],
"category": "product_name",
"name": "JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-4116",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat JBoss Enterprise Application Platform. Der Fehler besteht in der Komponente quarkus und tritt im Dev UI Config Editor aufgrund von Drive-by-Localhost-Angriffen auf. Ein entfernter, anonymer Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"67646",
"T025576",
"T038840",
"T017562"
]
},
"release_date": "2022-12-13T23:00:00.000+00:00",
"title": "CVE-2022-4116"
},
{
"cve": "CVE-2022-4147",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat JBoss Enterprise Application Platform. Der Fehler besteht in der Komponente quarkus, da der CORS-Filter einfache GET- und POST-Anfragen mit ung\u00fcltiger Herkunft zul\u00e4sst. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er mit XMLHttpRequest erstellte GET- oder POST-Anfragen sendet, um die Sicherheitsma\u00dfnahmen zu umgehen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
}
],
"product_status": {
"known_affected": [
"67646",
"T025576",
"T038840",
"T017562"
]
},
"release_date": "2022-12-13T23:00:00.000+00:00",
"title": "CVE-2022-4147"
},
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat JBoss Enterprise Application Platform. Der Fehler besteht in Apache MINA SSHD, wenn Java-Deserialisierung zum Laden eines serialisierten java.security.PrivateKey verwendet wird. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, indem er ungesicherte Daten einf\u00fcgt und so die Sicherheitsma\u00dfnahmen umgeht."
}
],
"product_status": {
"known_affected": [
"67646",
"T025576",
"T038840",
"T017562"
]
},
"release_date": "2022-12-13T23:00:00.000+00:00",
"title": "CVE-2022-45047"
}
]
}
WID-SEC-W-2023-1032
Vulnerability from csaf_certbund - Published: 2023-04-18 22:00 - Updated: 2023-04-18 22:00Summary
Oracle PeopleSoft: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle PeopleSoft ist eine ERP Anwendung.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle PeopleSoft ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle PeopleSoft ist eine ERP Anwendung.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle PeopleSoft ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1032 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1032.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1032 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1032"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle PeopleSoft vom 2023-04-18",
"url": "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixPS"
}
],
"source_lang": "en-US",
"title": "Oracle PeopleSoft: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-04-18T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:49:32.637+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1032",
"initial_release_date": "2023-04-18T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-04-18T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle PeopleSoft 8.58",
"product": {
"name": "Oracle PeopleSoft 8.58",
"product_id": "T019029",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:peoplesoft:8.58"
}
}
},
{
"category": "product_name",
"name": "Oracle PeopleSoft 9.2",
"product": {
"name": "Oracle PeopleSoft 9.2",
"product_id": "T019030",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:peoplesoft:9.2"
}
}
},
{
"category": "product_name",
"name": "Oracle PeopleSoft 8.59",
"product": {
"name": "Oracle PeopleSoft 8.59",
"product_id": "T019905",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:peoplesoft:8.59"
}
}
},
{
"category": "product_name",
"name": "Oracle PeopleSoft 8.60",
"product": {
"name": "Oracle PeopleSoft 8.60",
"product_id": "T025008",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:peoplesoft:8.60"
}
}
}
],
"category": "product_name",
"name": "PeopleSoft"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-21992",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21992"
},
{
"cve": "CVE-2023-21981",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21981"
},
{
"cve": "CVE-2023-21916",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21916"
},
{
"cve": "CVE-2022-45685",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-45685"
},
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2022-41881",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-41881"
},
{
"cve": "CVE-2022-36033",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-36033"
},
{
"cve": "CVE-2022-34169",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-34169"
},
{
"cve": "CVE-2021-37533",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-37533"
},
{
"cve": "CVE-2020-14343",
"notes": [
{
"category": "description",
"text": "In Oracle PeopleSoft existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019029",
"T025008",
"T019030",
"T019905"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2020-14343"
}
]
}
WID-SEC-W-2023-0132
Vulnerability from csaf_certbund - Published: 2023-01-17 23:00 - Updated: 2023-05-01 22:00Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "kritisch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0132 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0132.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0132 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0132"
},
{
"category": "external",
"summary": "CISA Known Exploited Vulnerabilities Catalog vom 2023-05-01",
"url": "https://www.cisa.gov/news-events/alerts/2023/05/01/cisa-adds-three-known-exploited-vulnerabilities-catalog"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - January 2023 - Appendix Oracle Fusion Middleware vom 2023-01-17",
"url": "https://www.oracle.com/security-alerts/cpujan2023.html#AppendixFMW"
}
],
"source_lang": "en-US",
"title": "Oracle Fusion Middleware: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-05-01T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:41:47.510+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-0132",
"initial_release_date": "2023-01-17T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-01-17T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-05-01T22:00:00.000+00:00",
"number": "2",
"summary": "Exploit-Hinweis f\u00fcr CVE-2023-21839 aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product_id": "618028",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product_id": "751674",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product": {
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product_id": "829576",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 5.9.0.0.0",
"product": {
"name": "Oracle Fusion Middleware 5.9.0.0.0",
"product_id": "T021683",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:5.9.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 8.5.6",
"product": {
"name": "Oracle Fusion Middleware 8.5.6",
"product_id": "T024993",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:8.5.6"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 6.4.0.0.0",
"product": {
"name": "Oracle Fusion Middleware 6.4.0.0.0",
"product_id": "T024994",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:6.4.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware \u003c 13.9.4.2.11",
"product": {
"name": "Oracle Fusion Middleware \u003c 13.9.4.2.11",
"product_id": "T025879",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:13.9.4.2.11"
}
}
}
],
"category": "product_name",
"name": "Fusion Middleware"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-25032",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2018-25032"
},
{
"cve": "CVE-2018-7489",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2018-7489"
},
{
"cve": "CVE-2020-10693",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2020-10693"
},
{
"cve": "CVE-2020-11987",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2020-11987"
},
{
"cve": "CVE-2020-13956",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2020-13956"
},
{
"cve": "CVE-2021-31812",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-31812"
},
{
"cve": "CVE-2021-36090",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-36090"
},
{
"cve": "CVE-2021-36770",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-36770"
},
{
"cve": "CVE-2021-42717",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-42717"
},
{
"cve": "CVE-2022-1122",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-1122"
},
{
"cve": "CVE-2022-2274",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-2274"
},
{
"cve": "CVE-2022-23305",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-23305"
},
{
"cve": "CVE-2022-23457",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-23457"
},
{
"cve": "CVE-2022-24329",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-24329"
},
{
"cve": "CVE-2022-25236",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-25236"
},
{
"cve": "CVE-2022-25647",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-25647"
},
{
"cve": "CVE-2022-27404",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-27404"
},
{
"cve": "CVE-2022-27782",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-27782"
},
{
"cve": "CVE-2022-29824",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-29824"
},
{
"cve": "CVE-2022-3171",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-3171"
},
{
"cve": "CVE-2022-31813",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-31813"
},
{
"cve": "CVE-2022-37434",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-37434"
},
{
"cve": "CVE-2022-40146",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-40146"
},
{
"cve": "CVE-2022-40150",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-40150"
},
{
"cve": "CVE-2022-40153",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-40153"
},
{
"cve": "CVE-2022-40664",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-40664"
},
{
"cve": "CVE-2022-42003",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-42889",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42889"
},
{
"cve": "CVE-2022-42920",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-42920"
},
{
"cve": "CVE-2022-43680",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-43680"
},
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2023-21832",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21832"
},
{
"cve": "CVE-2023-21837",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21837"
},
{
"cve": "CVE-2023-21838",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21838"
},
{
"cve": "CVE-2023-21839",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21839"
},
{
"cve": "CVE-2023-21841",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21841"
},
{
"cve": "CVE-2023-21842",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21842"
},
{
"cve": "CVE-2023-21846",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21846"
},
{
"cve": "CVE-2023-21859",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21859"
},
{
"cve": "CVE-2023-21861",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21861"
},
{
"cve": "CVE-2023-21862",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21862"
},
{
"cve": "CVE-2023-21891",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21891"
},
{
"cve": "CVE-2023-21892",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21892"
},
{
"cve": "CVE-2023-21894",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"T024994",
"751674",
"T021683",
"829576"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2023-21894"
}
]
}
WID-SEC-W-2025-0820
Vulnerability from csaf_certbund - Published: 2025-04-15 22:00 - Updated: 2025-04-15 22:00Summary
Oracle Enterprise Manager: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle für Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle f\u00fcr Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-0820 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0820.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-0820 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0820"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - April 2025 - Appendix Oracle Enterprise Manager vom 2025-04-15",
"url": "https://www.oracle.com/security-alerts/cpuapr2025.html#AppendixEM"
}
],
"source_lang": "en-US",
"title": "Oracle Enterprise Manager: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-04-15T22:00:00.000+00:00",
"generator": {
"date": "2025-04-16T09:16:23.337+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-0820",
"initial_release_date": "2025-04-15T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-04-15T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "13.3.0.1",
"product": {
"name": "Oracle Enterprise Manager 13.3.0.1",
"product_id": "T018974",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:enterprise_manager:13.3.0.1"
}
}
},
{
"category": "product_version",
"name": "13.5.0.0.0",
"product": {
"name": "Oracle Enterprise Manager 13.5.0.0.0",
"product_id": "T042806",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:enterprise_manager:13.5.0.0.0"
}
}
},
{
"category": "product_version",
"name": "24.1.0.0.0",
"product": {
"name": "Oracle Enterprise Manager 24.1.0.0.0",
"product_id": "T042807",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:enterprise_manager:24.1.0.0.0"
}
}
}
],
"category": "product_name",
"name": "Enterprise Manager"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"product_status": {
"known_affected": [
"T018974",
"T042806",
"T042807"
]
},
"release_date": "2025-04-15T22:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2023-1370",
"product_status": {
"known_affected": [
"T018974",
"T042806",
"T042807"
]
},
"release_date": "2025-04-15T22:00:00.000+00:00",
"title": "CVE-2023-1370"
},
{
"cve": "CVE-2024-52046",
"product_status": {
"known_affected": [
"T018974",
"T042806",
"T042807"
]
},
"release_date": "2025-04-15T22:00:00.000+00:00",
"title": "CVE-2024-52046"
},
{
"cve": "CVE-2024-57699",
"product_status": {
"known_affected": [
"T018974",
"T042806",
"T042807"
]
},
"release_date": "2025-04-15T22:00:00.000+00:00",
"title": "CVE-2024-57699"
}
]
}
WID-SEC-W-2023-1807
Vulnerability from csaf_certbund - Published: 2023-07-18 22:00 - Updated: 2023-12-26 23:00Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1807 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1807.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1807 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1807"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Fusion Middleware vom 2023-07-18",
"url": "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixFMW"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23",
"url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-="
}
],
"source_lang": "en-US",
"title": "Oracle Fusion Middleware: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-12-26T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:55:51.397+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1807",
"initial_release_date": "2023-07-18T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-07-18T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-12-26T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Dell aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product_id": "618028",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product_id": "751674",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product": {
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product_id": "829576",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 9.1.0",
"product": {
"name": "Oracle Fusion Middleware 9.1.0",
"product_id": "T022847",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:9.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware \u003c 11.1.2.3.1",
"product": {
"name": "Oracle Fusion Middleware \u003c 11.1.2.3.1",
"product_id": "T028708",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:11.1.2.3.1"
}
}
}
],
"category": "product_name",
"name": "Fusion Middleware"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-26119",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-26119"
},
{
"cve": "CVE-2023-26049",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-26049"
},
{
"cve": "CVE-2023-25690",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-25690"
},
{
"cve": "CVE-2023-25194",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-25194"
},
{
"cve": "CVE-2023-24998",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-23914",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-23914"
},
{
"cve": "CVE-2023-22899",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-22899"
},
{
"cve": "CVE-2023-22040",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-22040"
},
{
"cve": "CVE-2023-22031",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-22031"
},
{
"cve": "CVE-2023-21994",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-21994"
},
{
"cve": "CVE-2023-20863",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20863"
},
{
"cve": "CVE-2023-20861",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20861"
},
{
"cve": "CVE-2023-20860",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20860"
},
{
"cve": "CVE-2023-1436",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-1436"
},
{
"cve": "CVE-2023-1370",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-1370"
},
{
"cve": "CVE-2022-45688",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45688"
},
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2022-43680",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-43680"
},
{
"cve": "CVE-2022-42920",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-42920"
},
{
"cve": "CVE-2022-42890",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-42890"
},
{
"cve": "CVE-2022-41966",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-41966"
},
{
"cve": "CVE-2022-41853",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-41853"
},
{
"cve": "CVE-2022-40152",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-40152"
},
{
"cve": "CVE-2022-36033",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-36033"
},
{
"cve": "CVE-2022-33879",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-33879"
},
{
"cve": "CVE-2022-31197",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-31197"
},
{
"cve": "CVE-2022-29546",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-29546"
},
{
"cve": "CVE-2022-25647",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-25647"
},
{
"cve": "CVE-2022-24409",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-24409"
},
{
"cve": "CVE-2022-23437",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-23437"
},
{
"cve": "CVE-2021-46877",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-46877"
},
{
"cve": "CVE-2021-43113",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-43113"
},
{
"cve": "CVE-2021-42575",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-42575"
},
{
"cve": "CVE-2021-41184",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-41184"
},
{
"cve": "CVE-2021-4104",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-4104"
},
{
"cve": "CVE-2021-37533",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-37533"
},
{
"cve": "CVE-2021-36374",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-36374"
},
{
"cve": "CVE-2021-36090",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-36090"
},
{
"cve": "CVE-2021-34429",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-34429"
},
{
"cve": "CVE-2021-33813",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-33813"
},
{
"cve": "CVE-2021-29425",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-29425"
},
{
"cve": "CVE-2021-28168",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-28168"
},
{
"cve": "CVE-2021-26117",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-26117"
},
{
"cve": "CVE-2021-23926",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-23926"
},
{
"cve": "CVE-2020-8908",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2020-8908"
},
{
"cve": "CVE-2020-36518",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2020-36518"
},
{
"cve": "CVE-2020-17521",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2020-17521"
},
{
"cve": "CVE-2020-13956",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2020-13956"
},
{
"cve": "CVE-2020-13936",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T022847",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2020-13936"
}
]
}
WID-SEC-W-2023-1016
Vulnerability from csaf_certbund - Published: 2023-04-18 22:00 - Updated: 2023-12-26 23:00Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1016 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1016.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1016 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1016"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Fusion Middleware vom 2023-04-18",
"url": "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixFMW"
},
{
"category": "external",
"summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23",
"url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-="
}
],
"source_lang": "en-US",
"title": "Oracle Fusion Middleware: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-12-26T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:49:14.060+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1016",
"initial_release_date": "2023-04-18T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-04-18T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-12-26T23:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Dell aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product_id": "618028",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product_id": "751674",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product": {
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product_id": "829576",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Fusion Middleware 8.5.6",
"product": {
"name": "Oracle Fusion Middleware 8.5.6",
"product_id": "T024993",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:8.5.6"
}
}
}
],
"category": "product_name",
"name": "Fusion Middleware"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-24998",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-22899",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-22899"
},
{
"cve": "CVE-2023-21996",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21996"
},
{
"cve": "CVE-2023-21979",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21979"
},
{
"cve": "CVE-2023-21964",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21964"
},
{
"cve": "CVE-2023-21960",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21960"
},
{
"cve": "CVE-2023-21956",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21956"
},
{
"cve": "CVE-2023-21931",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2023-21931"
},
{
"cve": "CVE-2022-46908",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-46908"
},
{
"cve": "CVE-2022-45693",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-45693"
},
{
"cve": "CVE-2022-45685",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-45685"
},
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2022-43551",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-43551"
},
{
"cve": "CVE-2022-42890",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-42890"
},
{
"cve": "CVE-2022-42003",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-41966",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-41966"
},
{
"cve": "CVE-2022-41881",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-41881"
},
{
"cve": "CVE-2022-40304",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-40304"
},
{
"cve": "CVE-2022-40152",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-40152"
},
{
"cve": "CVE-2022-40151",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-40151"
},
{
"cve": "CVE-2022-40149",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-40149"
},
{
"cve": "CVE-2022-37434",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-37434"
},
{
"cve": "CVE-2022-36033",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-36033"
},
{
"cve": "CVE-2022-34305",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-34305"
},
{
"cve": "CVE-2022-33980",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-33980"
},
{
"cve": "CVE-2022-31160",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-31160"
},
{
"cve": "CVE-2022-29599",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-29599"
},
{
"cve": "CVE-2022-22965",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-22965"
},
{
"cve": "CVE-2021-37533",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-37533"
},
{
"cve": "CVE-2021-36374",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-36374"
},
{
"cve": "CVE-2021-36090",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-36090"
},
{
"cve": "CVE-2021-34798",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-34798"
},
{
"cve": "CVE-2021-31684",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-31684"
},
{
"cve": "CVE-2021-22569",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-22569"
},
{
"cve": "CVE-2020-6950",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2020-6950"
},
{
"cve": "CVE-2020-25638",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2020-25638"
},
{
"cve": "CVE-2020-13954",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2020-13954"
},
{
"cve": "CVE-2019-20916",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2019-20916"
},
{
"cve": "CVE-2018-14371",
"notes": [
{
"category": "description",
"text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"829576"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2018-14371"
}
]
}
WID-SEC-W-2023-1031
Vulnerability from csaf_certbund - Published: 2023-04-18 22:00 - Updated: 2023-04-18 22:00Summary
Oracle Retail Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Retail Applications ist eine Sammlung von Produkten zur Unterstützung u. a. von Handelsfirmen und der Gastronomie.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Retail Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Retail Applications ist eine Sammlung von Produkten zur Unterst\u00fctzung u. a. von Handelsfirmen und der Gastronomie.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Retail Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1031 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1031.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1031 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1031"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Retail Applications vom 2023-04-18",
"url": "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixRAPP"
}
],
"source_lang": "en-US",
"title": "Oracle Retail Applications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-04-18T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:49:31.959+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1031",
"initial_release_date": "2023-04-18T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-04-18T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Retail Applications 16.0.3",
"product": {
"name": "Oracle Retail Applications 16.0.3",
"product_id": "T019034",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:16.0.3"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 15.0.3.1",
"product": {
"name": "Oracle Retail Applications 15.0.3.1",
"product_id": "T019909",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:15.0.3.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 14.1.3.2",
"product": {
"name": "Oracle Retail Applications 14.1.3.2",
"product_id": "T019910",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:14.1.3.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 15.0.3",
"product": {
"name": "Oracle Retail Applications 15.0.3",
"product_id": "T020721",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:15.0.3"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 14.2",
"product": {
"name": "Oracle Retail Applications 14.2",
"product_id": "T021712",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:14.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 16.0.2",
"product": {
"name": "Oracle Retail Applications 16.0.2",
"product_id": "T022879",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:16.0.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 19.0.0.6",
"product": {
"name": "Oracle Retail Applications 19.0.0.6",
"product_id": "T027397",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:19.0.0.6"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 18.0.5",
"product": {
"name": "Oracle Retail Applications 18.0.5",
"product_id": "T027398",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:18.0.5"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 19.0.4",
"product": {
"name": "Oracle Retail Applications 19.0.4",
"product_id": "T027399",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:19.0.4"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 20.0.3",
"product": {
"name": "Oracle Retail Applications 20.0.3",
"product_id": "T027400",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:20.0.3"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 21.0.2",
"product": {
"name": "Oracle Retail Applications 21.0.2",
"product_id": "T027401",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:21.0.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 18.0.0.12",
"product": {
"name": "Oracle Retail Applications 18.0.0.12",
"product_id": "T027402",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:18.0.0.12"
}
}
},
{
"category": "product_name",
"name": "Oracle Retail Applications 17.0.6",
"product": {
"name": "Oracle Retail Applications 17.0.6",
"product_id": "T027403",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:retail_applications:17.0.6"
}
}
}
],
"category": "product_name",
"name": "Retail Applications"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2022-42889",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-42889"
},
{
"cve": "CVE-2022-42003",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-41966",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-41966"
},
{
"cve": "CVE-2022-37434",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-37434"
},
{
"cve": "CVE-2022-36033",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-36033"
},
{
"cve": "CVE-2022-33980",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-33980"
},
{
"cve": "CVE-2022-3171",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-3171"
},
{
"cve": "CVE-2022-23437",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-23437"
},
{
"cve": "CVE-2022-23181",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-23181"
},
{
"cve": "CVE-2022-22971",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2022-22971"
},
{
"cve": "CVE-2021-44832",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2021-44832"
},
{
"cve": "CVE-2020-35168",
"notes": [
{
"category": "description",
"text": "In Oracle Retail Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T019034",
"T022879",
"T019910",
"T021712",
"T020721",
"T027403",
"T027401",
"T027402",
"T027399",
"T027400",
"T027397",
"T019909",
"T027398"
]
},
"release_date": "2023-04-18T22:00:00.000+00:00",
"title": "CVE-2020-35168"
}
]
}
WID-SEC-W-2023-0121
Vulnerability from csaf_certbund - Published: 2023-01-17 23:00 - Updated: 2023-01-17 23:00Summary
Oracle Support Tools: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Die Oracle Support Tools sind eine Sammlung von Werkzeugen zur Wartung und zum Support von Oracle Produkten.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Support Tools ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Die Oracle Support Tools sind eine Sammlung von Werkzeugen zur Wartung und zum Support von Oracle Produkten.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Support Tools ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows\n- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0121 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0121.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0121 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0121"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - January 2023 - Appendix Oracle Support Tools vom 2023-01-17",
"url": "https://www.oracle.com/security-alerts/cpujan2023.html#AppendixTOOL"
}
],
"source_lang": "en-US",
"title": "Oracle Support Tools: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-01-17T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:41:43.237+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-0121",
"initial_release_date": "2023-01-17T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-01-17T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Support Tools 2.12.43",
"product": {
"name": "Oracle Support Tools 2.12.43",
"product_id": "T025899",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:support_tools:2.12.43"
}
}
},
{
"category": "product_name",
"name": "Oracle Support Tools 22.4.22.10.18",
"product": {
"name": "Oracle Support Tools 22.4.22.10.18",
"product_id": "T025900",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:support_tools:22.4.22.10.18"
}
}
},
{
"category": "product_name",
"name": "Oracle Support Tools 22.2.22.4.5",
"product": {
"name": "Oracle Support Tools 22.2.22.4.5",
"product_id": "T025901",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:support_tools:22.2.22.4.5"
}
}
}
],
"category": "product_name",
"name": "Support Tools"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "In Oracle Support Tools existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T025899",
"T025901",
"T025900"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2021-37533",
"notes": [
{
"category": "description",
"text": "In Oracle Support Tools existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T025899",
"T025901",
"T025900"
]
},
"release_date": "2023-01-17T23:00:00.000+00:00",
"title": "CVE-2021-37533"
}
]
}
WID-SEC-W-2023-1808
Vulnerability from csaf_certbund - Published: 2023-07-18 22:00 - Updated: 2023-07-18 22:00Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Financial Services ist eine Zusammenstellung von Anwendungen f\u00fcr den Finanzsektor und eine Technologiebasis zur Erf\u00fcllung von IT- und Gesch\u00e4ftsanforderungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- UNIX\n- Linux\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-1808 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1808.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-1808 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1808"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Financial Services Applications vom 2023-07-18",
"url": "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixIFLX"
}
],
"source_lang": "en-US",
"title": "Oracle Financial Services Applications: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2023-07-18T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:55:51.752+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-1808",
"initial_release_date": "2023-07-18T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-07-18T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.0",
"product": {
"name": "Oracle Financial Services Applications 8.1.0",
"product_id": "T018983",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications \u003c= 14.3",
"product": {
"name": "Oracle Financial Services Applications \u003c= 14.3",
"product_id": "T019887",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.3"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.1",
"product": {
"name": "Oracle Financial Services Applications 8.1.1",
"product_id": "T019891",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.7",
"product": {
"name": "Oracle Financial Services Applications 8.0.7",
"product_id": "T021676",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.7"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.8",
"product": {
"name": "Oracle Financial Services Applications 8.0.8",
"product_id": "T021677",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.1.1",
"product": {
"name": "Oracle Financial Services Applications 8.1.1.1",
"product_id": "T022835",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.1.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.8.1",
"product": {
"name": "Oracle Financial Services Applications 8.0.8.1",
"product_id": "T022844",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.1"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.0.8.2",
"product": {
"name": "Oracle Financial Services Applications 8.0.8.2",
"product_id": "T024990",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications \u003c= 14.7",
"product": {
"name": "Oracle Financial Services Applications \u003c= 14.7",
"product_id": "T027348",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.7"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.2.4",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.4",
"product_id": "T027351",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.4"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.6",
"product": {
"name": "Oracle Financial Services Applications 14.6",
"product_id": "T027355",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.6"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 18.2.0.0.0",
"product": {
"name": "Oracle Financial Services Applications 18.2.0.0.0",
"product_id": "T028691",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:18.2.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 18.3.0.0.0",
"product": {
"name": "Oracle Financial Services Applications 18.3.0.0.0",
"product_id": "T028692",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:18.3.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 19.1.0.0.0",
"product": {
"name": "Oracle Financial Services Applications 19.1.0.0.0",
"product_id": "T028693",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:19.1.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 19.2.0.0.0",
"product": {
"name": "Oracle Financial Services Applications 19.2.0.0.0",
"product_id": "T028694",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:19.2.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 21.1.0.0.0",
"product": {
"name": "Oracle Financial Services Applications 21.1.0.0.0",
"product_id": "T028695",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:21.1.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 22.1.0.0.0",
"product": {
"name": "Oracle Financial Services Applications 22.1.0.0.0",
"product_id": "T028696",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:22.1.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 22.2.0.0.0",
"product": {
"name": "Oracle Financial Services Applications 22.2.0.0.0",
"product_id": "T028697",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:22.2.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.7.0.2.0",
"product": {
"name": "Oracle Financial Services Applications 14.7.0.2.0",
"product_id": "T028698",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.7.0.2.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.7.1.0.0",
"product": {
"name": "Oracle Financial Services Applications 14.7.1.0.0",
"product_id": "T028699",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.7.1.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.5.0.8.0",
"product": {
"name": "Oracle Financial Services Applications 14.5.0.8.0",
"product_id": "T028700",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.5.0.8.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.6.0.4.0",
"product": {
"name": "Oracle Financial Services Applications 14.6.0.4.0",
"product_id": "T028701",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.6.0.4.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.7.0.0.0",
"product": {
"name": "Oracle Financial Services Applications 14.7.0.0.0",
"product_id": "T028702",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.7.0.0.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.6.0.3.0",
"product": {
"name": "Oracle Financial Services Applications 14.6.0.3.0",
"product_id": "T028703",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.6.0.3.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.7.0.1.0",
"product": {
"name": "Oracle Financial Services Applications 14.7.0.1.0",
"product_id": "T028704",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.7.0.1.0"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.2",
"product": {
"name": "Oracle Financial Services Applications 8.1.2",
"product_id": "T028705",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 8.1.2.5",
"product": {
"name": "Oracle Financial Services Applications 8.1.2.5",
"product_id": "T028706",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.5"
}
}
},
{
"category": "product_name",
"name": "Oracle Financial Services Applications 14.7.0",
"product": {
"name": "Oracle Financial Services Applications 14.7.0",
"product_id": "T028707",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:financial_services_applications:14.7.0"
}
}
}
],
"category": "product_name",
"name": "Financial Services Applications"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-28708",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-28708"
},
{
"cve": "CVE-2023-28439",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-28439"
},
{
"cve": "CVE-2023-25194",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-25194"
},
{
"cve": "CVE-2023-24998",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-20863",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20863"
},
{
"cve": "CVE-2023-20861",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-20861"
},
{
"cve": "CVE-2023-1436",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-1436"
},
{
"cve": "CVE-2023-1370",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2023-1370"
},
{
"cve": "CVE-2022-48285",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-48285"
},
{
"cve": "CVE-2022-46364",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-46364"
},
{
"cve": "CVE-2022-45693",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45693"
},
{
"cve": "CVE-2022-45199",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45199"
},
{
"cve": "CVE-2022-45143",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45143"
},
{
"cve": "CVE-2022-45047",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2022-42890",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-42890"
},
{
"cve": "CVE-2022-42003",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-41966",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-41966"
},
{
"cve": "CVE-2022-41881",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-41881"
},
{
"cve": "CVE-2022-36033",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-36033"
},
{
"cve": "CVE-2022-33879",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-33879"
},
{
"cve": "CVE-2022-3171",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-3171"
},
{
"cve": "CVE-2022-31692",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-31692"
},
{
"cve": "CVE-2022-31129",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-31129"
},
{
"cve": "CVE-2022-2048",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-2048"
},
{
"cve": "CVE-2022-1471",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2022-1471"
},
{
"cve": "CVE-2021-37533",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2021-37533"
},
{
"cve": "CVE-2020-13936",
"notes": [
{
"category": "description",
"text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he."
}
],
"product_status": {
"known_affected": [
"T027351",
"T019891",
"T021677",
"T022844",
"T018983",
"T021676",
"T028707",
"T028705",
"T028706",
"T028703",
"T028704",
"T028701",
"T028702",
"T028700",
"T027355",
"T028693",
"T028694",
"T028691",
"T028692",
"T022835",
"T028699",
"T028697",
"T028698",
"T028695",
"T024990",
"T028696"
],
"last_affected": [
"T019887",
"T027348"
]
},
"release_date": "2023-07-18T22:00:00.000+00:00",
"title": "CVE-2020-13936"
}
]
}
CERTFR-2023-AVI-0325
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Oracle. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | Java SE | Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20 | ||
| Oracle | Database Server | Oracle Database Server 19c, 21c | ||
| Oracle | N/A | Oracle GraalVM Enterprise Edition: 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1 | ||
| Oracle | PeopleSoft | Oracle PeopleSoft versions 8.58, 8.59, 8.60, 9.2 | ||
| Oracle | Virtualization | Oracle Virtualization versions 6.1.x antérieures à 6.1.44 | ||
| Oracle | MySQL | Oracle MySQL versions 8.0.33 et antérieures | ||
| Oracle | Systems | Oracle Systems versions 10, 11 | ||
| Oracle | Virtualization | Oracle Virtualization versions 7.0.x antérieures à 7.0.8 | ||
| Oracle | MySQL | Oracle MySQL versions 5.7.41 et antérieures | ||
| Oracle | Weblogic | Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20",
"product": {
"name": "Java SE",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database Server 19c, 21c",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GraalVM Enterprise Edition: 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle PeopleSoft versions 8.58, 8.59, 8.60, 9.2",
"product": {
"name": "PeopleSoft",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Virtualization versions 6.1.x ant\u00e9rieures \u00e0 6.1.44",
"product": {
"name": "Virtualization",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle MySQL versions 8.0.33 et ant\u00e9rieures",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Systems versions 10, 11",
"product": {
"name": "Systems",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Virtualization versions 7.0.x ant\u00e9rieures \u00e0 7.0.8",
"product": {
"name": "Virtualization",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle MySQL versions 5.7.41 et ant\u00e9rieures",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-21938",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
},
{
"name": "CVE-2023-21916",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21916"
},
{
"name": "CVE-2023-21985",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21985"
},
{
"name": "CVE-2023-21979",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21979"
},
{
"name": "CVE-2023-21986",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21986"
},
{
"name": "CVE-2020-14343",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14343"
},
{
"name": "CVE-2023-21954",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
},
{
"name": "CVE-2023-21940",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21940"
},
{
"name": "CVE-2023-21939",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
},
{
"name": "CVE-2023-21962",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21962"
},
{
"name": "CVE-2022-31160",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31160"
},
{
"name": "CVE-2022-45061",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
},
{
"name": "CVE-2023-21917",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21917"
},
{
"name": "CVE-2023-21984",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21984"
},
{
"name": "CVE-2023-21956",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21956"
},
{
"name": "CVE-2023-0215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
},
{
"name": "CVE-2023-21945",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21945"
},
{
"name": "CVE-2022-42916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42916"
},
{
"name": "CVE-2023-21966",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21966"
},
{
"name": "CVE-2023-21947",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21947"
},
{
"name": "CVE-2023-22002",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22002"
},
{
"name": "CVE-2023-21981",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21981"
},
{
"name": "CVE-2023-21987",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21987"
},
{
"name": "CVE-2023-21977",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21977"
},
{
"name": "CVE-2023-21971",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21971"
},
{
"name": "CVE-2023-21999",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21999"
},
{
"name": "CVE-2023-21928",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21928"
},
{
"name": "CVE-2023-21972",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21972"
},
{
"name": "CVE-2023-21960",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21960"
},
{
"name": "CVE-2021-37533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37533"
},
{
"name": "CVE-2023-21990",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21990"
},
{
"name": "CVE-2023-22000",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22000"
},
{
"name": "CVE-2023-21913",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21913"
},
{
"name": "CVE-2023-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
},
{
"name": "CVE-2021-36090",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36090"
},
{
"name": "CVE-2023-21963",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21963"
},
{
"name": "CVE-2023-21980",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21980"
},
{
"name": "CVE-2020-6950",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-6950"
},
{
"name": "CVE-2023-21996",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21996"
},
{
"name": "CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"name": "CVE-2023-21953",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21953"
},
{
"name": "CVE-2023-21934",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21934"
},
{
"name": "CVE-2023-22003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22003"
},
{
"name": "CVE-2023-21998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21998"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2023-21946",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21946"
},
{
"name": "CVE-2023-21933",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21933"
},
{
"name": "CVE-2023-21931",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21931"
},
{
"name": "CVE-2023-21937",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
},
{
"name": "CVE-2022-45143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45143"
},
{
"name": "CVE-2023-21896",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21896"
},
{
"name": "CVE-2022-43551",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43551"
},
{
"name": "CVE-2023-21964",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21964"
},
{
"name": "CVE-2021-22569",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
},
{
"name": "CVE-2022-34169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
},
{
"name": "CVE-2022-43548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
},
{
"name": "CVE-2023-21920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21920"
},
{
"name": "CVE-2022-45685",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45685"
},
{
"name": "CVE-2023-21918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21918"
},
{
"name": "CVE-2023-21992",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21992"
},
{
"name": "CVE-2023-21911",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21911"
},
{
"name": "CVE-2023-21976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21976"
},
{
"name": "CVE-2021-31684",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31684"
},
{
"name": "CVE-2023-21968",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
},
{
"name": "CVE-2023-21991",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21991"
},
{
"name": "CVE-2023-21989",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21989"
},
{
"name": "CVE-2023-21982",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21982"
},
{
"name": "CVE-2023-21930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
},
{
"name": "CVE-2023-24998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
},
{
"name": "CVE-2023-21935",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21935"
},
{
"name": "CVE-2020-25638",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25638"
},
{
"name": "CVE-2023-21955",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21955"
},
{
"name": "CVE-2023-21988",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21988"
},
{
"name": "CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"name": "CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"name": "CVE-2022-36033",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36033"
},
{
"name": "CVE-2023-21912",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21912"
},
{
"name": "CVE-2023-21929",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21929"
},
{
"name": "CVE-2023-21967",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
},
{
"name": "CVE-2023-22001",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22001"
},
{
"name": "CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"name": "CVE-2023-21948",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21948"
},
{
"name": "CVE-2023-21919",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21919"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0325",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-04-19T00:00:00.000000"
},
{
"description": "Correction coquilles.",
"revision_date": "2023-04-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nOracle. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Oracle",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuapr2023 du 18 avril 2023",
"url": "https://www.oracle.com/security-alerts/cpuapr2023.html"
}
]
}
CERTFR-2023-AVI-0314
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans IBM Spectrum Scale. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Scale versions 5.1.3.x \u00e0 5.1.6.x ant\u00e9rieures \u00e0 5.1.7.0",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Scale versions 5.1.0.x \u00e0 5.1.2.x ant\u00e9rieures \u00e0 5.1.2.9",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-41739",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41739"
},
{
"name": "CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0314",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-04-14T00:00:00.000000"
},
{
"description": "Correction lien CVE-2022-45047",
"revision_date": "2023-04-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Spectrum Scale.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Spectrum Scale",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6964568 du 14 avril 2023",
"url": "https://www.ibm.com/support/pages/node/6964568"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6983769 du 14 avril 2023",
"url": "https://www.ibm.com/support/pages/node/6983769"
}
]
}
CERTFR-2023-AVI-0325
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Oracle. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | Java SE | Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20 | ||
| Oracle | Database Server | Oracle Database Server 19c, 21c | ||
| Oracle | N/A | Oracle GraalVM Enterprise Edition: 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1 | ||
| Oracle | PeopleSoft | Oracle PeopleSoft versions 8.58, 8.59, 8.60, 9.2 | ||
| Oracle | Virtualization | Oracle Virtualization versions 6.1.x antérieures à 6.1.44 | ||
| Oracle | MySQL | Oracle MySQL versions 8.0.33 et antérieures | ||
| Oracle | Systems | Oracle Systems versions 10, 11 | ||
| Oracle | Virtualization | Oracle Virtualization versions 7.0.x antérieures à 7.0.8 | ||
| Oracle | MySQL | Oracle MySQL versions 5.7.41 et antérieures | ||
| Oracle | Weblogic | Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20",
"product": {
"name": "Java SE",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database Server 19c, 21c",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GraalVM Enterprise Edition: 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle PeopleSoft versions 8.58, 8.59, 8.60, 9.2",
"product": {
"name": "PeopleSoft",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Virtualization versions 6.1.x ant\u00e9rieures \u00e0 6.1.44",
"product": {
"name": "Virtualization",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle MySQL versions 8.0.33 et ant\u00e9rieures",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Systems versions 10, 11",
"product": {
"name": "Systems",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Virtualization versions 7.0.x ant\u00e9rieures \u00e0 7.0.8",
"product": {
"name": "Virtualization",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle MySQL versions 5.7.41 et ant\u00e9rieures",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-21938",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
},
{
"name": "CVE-2023-21916",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21916"
},
{
"name": "CVE-2023-21985",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21985"
},
{
"name": "CVE-2023-21979",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21979"
},
{
"name": "CVE-2023-21986",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21986"
},
{
"name": "CVE-2020-14343",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14343"
},
{
"name": "CVE-2023-21954",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
},
{
"name": "CVE-2023-21940",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21940"
},
{
"name": "CVE-2023-21939",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
},
{
"name": "CVE-2023-21962",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21962"
},
{
"name": "CVE-2022-31160",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31160"
},
{
"name": "CVE-2022-45061",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
},
{
"name": "CVE-2023-21917",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21917"
},
{
"name": "CVE-2023-21984",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21984"
},
{
"name": "CVE-2023-21956",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21956"
},
{
"name": "CVE-2023-0215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
},
{
"name": "CVE-2023-21945",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21945"
},
{
"name": "CVE-2022-42916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42916"
},
{
"name": "CVE-2023-21966",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21966"
},
{
"name": "CVE-2023-21947",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21947"
},
{
"name": "CVE-2023-22002",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22002"
},
{
"name": "CVE-2023-21981",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21981"
},
{
"name": "CVE-2023-21987",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21987"
},
{
"name": "CVE-2023-21977",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21977"
},
{
"name": "CVE-2023-21971",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21971"
},
{
"name": "CVE-2023-21999",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21999"
},
{
"name": "CVE-2023-21928",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21928"
},
{
"name": "CVE-2023-21972",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21972"
},
{
"name": "CVE-2023-21960",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21960"
},
{
"name": "CVE-2021-37533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37533"
},
{
"name": "CVE-2023-21990",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21990"
},
{
"name": "CVE-2023-22000",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22000"
},
{
"name": "CVE-2023-21913",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21913"
},
{
"name": "CVE-2023-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
},
{
"name": "CVE-2021-36090",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36090"
},
{
"name": "CVE-2023-21963",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21963"
},
{
"name": "CVE-2023-21980",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21980"
},
{
"name": "CVE-2020-6950",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-6950"
},
{
"name": "CVE-2023-21996",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21996"
},
{
"name": "CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"name": "CVE-2023-21953",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21953"
},
{
"name": "CVE-2023-21934",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21934"
},
{
"name": "CVE-2023-22003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22003"
},
{
"name": "CVE-2023-21998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21998"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2023-21946",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21946"
},
{
"name": "CVE-2023-21933",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21933"
},
{
"name": "CVE-2023-21931",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21931"
},
{
"name": "CVE-2023-21937",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
},
{
"name": "CVE-2022-45143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45143"
},
{
"name": "CVE-2023-21896",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21896"
},
{
"name": "CVE-2022-43551",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43551"
},
{
"name": "CVE-2023-21964",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21964"
},
{
"name": "CVE-2021-22569",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
},
{
"name": "CVE-2022-34169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
},
{
"name": "CVE-2022-43548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
},
{
"name": "CVE-2023-21920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21920"
},
{
"name": "CVE-2022-45685",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45685"
},
{
"name": "CVE-2023-21918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21918"
},
{
"name": "CVE-2023-21992",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21992"
},
{
"name": "CVE-2023-21911",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21911"
},
{
"name": "CVE-2023-21976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21976"
},
{
"name": "CVE-2021-31684",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31684"
},
{
"name": "CVE-2023-21968",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
},
{
"name": "CVE-2023-21991",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21991"
},
{
"name": "CVE-2023-21989",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21989"
},
{
"name": "CVE-2023-21982",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21982"
},
{
"name": "CVE-2023-21930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
},
{
"name": "CVE-2023-24998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
},
{
"name": "CVE-2023-21935",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21935"
},
{
"name": "CVE-2020-25638",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25638"
},
{
"name": "CVE-2023-21955",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21955"
},
{
"name": "CVE-2023-21988",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21988"
},
{
"name": "CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"name": "CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"name": "CVE-2022-36033",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36033"
},
{
"name": "CVE-2023-21912",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21912"
},
{
"name": "CVE-2023-21929",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21929"
},
{
"name": "CVE-2023-21967",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
},
{
"name": "CVE-2023-22001",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22001"
},
{
"name": "CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"name": "CVE-2023-21948",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21948"
},
{
"name": "CVE-2023-21919",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21919"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0325",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-04-19T00:00:00.000000"
},
{
"description": "Correction coquilles.",
"revision_date": "2023-04-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nOracle. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Oracle",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuapr2023 du 18 avril 2023",
"url": "https://www.oracle.com/security-alerts/cpuapr2023.html"
}
]
}
CERTFR-2023-AVI-0314
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans IBM Spectrum Scale. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Scale versions 5.1.3.x \u00e0 5.1.6.x ant\u00e9rieures \u00e0 5.1.7.0",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Scale versions 5.1.0.x \u00e0 5.1.2.x ant\u00e9rieures \u00e0 5.1.2.9",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-41739",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41739"
},
{
"name": "CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
}
],
"links": [],
"reference": "CERTFR-2023-AVI-0314",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-04-14T00:00:00.000000"
},
{
"description": "Correction lien CVE-2022-45047",
"revision_date": "2023-04-17T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Spectrum Scale.\nElles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code\narbitraire \u00e0 distance, un contournement de la politique de s\u00e9curit\u00e9 et\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Spectrum Scale",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6964568 du 14 avril 2023",
"url": "https://www.ibm.com/support/pages/node/6964568"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6983769 du 14 avril 2023",
"url": "https://www.ibm.com/support/pages/node/6983769"
}
]
}
CNVD-2022-79656
Vulnerability from cnvd - Published: 2022-11-23
VLAI Severity ?
Title
Apache MINA反序列化漏洞
Description
Apache MINA是美国阿帕奇(Apache)基金会的一款网络应用程序框架。该产品主要用于开发高性能和高可伸缩性的网络应用程序。
Apache MINA 2.9.1及之前版本存在反序列化漏洞,该漏洞源于使用Java反序列化加载序列化java.security.PrivateKey,攻击者可利用该漏洞加载SSH服务器的主机密钥。
Severity
高
Patch Name
Apache MINA反序列化漏洞的补丁
Patch Description
Apache MINA是美国阿帕奇(Apache)基金会的一款网络应用程序框架。该产品主要用于开发高性能和高可伸缩性的网络应用程序。
Apache MINA 2.9.1及之前版本存在反序列化漏洞,该漏洞源于使用Java反序列化加载序列化java.security.PrivateKey,攻击者可利用该漏洞加载SSH服务器的主机密钥。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新:https://www.mail-archive.com/dev@mina.apache.org/msg39312.html
Reference
https://cxsecurity.com/cveshow/CVE-2022-45047/
Impacted products
| Name | Apache Apache MINA <=2.9.1 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-45047",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
}
},
"description": "Apache MINA\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5f00\u53d1\u9ad8\u6027\u80fd\u548c\u9ad8\u53ef\u4f38\u7f29\u6027\u7684\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u3002\n\nApache MINA 2.9.1\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f7f\u7528Java\u53cd\u5e8f\u5217\u5316\u52a0\u8f7d\u5e8f\u5217\u5316java.security.PrivateKey\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u52a0\u8f7dSSH\u670d\u52a1\u5668\u7684\u4e3b\u673a\u5bc6\u94a5\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1ahttps://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-79656",
"openTime": "2022-11-23",
"patchDescription": "Apache MINA\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5f00\u53d1\u9ad8\u6027\u80fd\u548c\u9ad8\u53ef\u4f38\u7f29\u6027\u7684\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nApache MINA 2.9.1\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4f7f\u7528Java\u53cd\u5e8f\u5217\u5316\u52a0\u8f7d\u5e8f\u5217\u5316java.security.PrivateKey\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u52a0\u8f7dSSH\u670d\u52a1\u5668\u7684\u4e3b\u673a\u5bc6\u94a5\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apache MINA\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Apache Apache MINA \u003c=2.9.1"
},
"referenceLink": "https://cxsecurity.com/cveshow/CVE-2022-45047/",
"serverity": "\u9ad8",
"submitTime": "2022-11-18",
"title": "Apache MINA\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e"
}
GSD-2022-45047
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-45047",
"description": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.",
"id": "GSD-2022-45047",
"references": [
"https://access.redhat.com/errata/RHSA-2022:8957",
"https://access.redhat.com/errata/RHSA-2023:0074",
"https://www.suse.com/security/cve/CVE-2022-45047.html",
"https://access.redhat.com/errata/RHSA-2023:0552",
"https://access.redhat.com/errata/RHSA-2023:0553",
"https://access.redhat.com/errata/RHSA-2023:0554",
"https://access.redhat.com/errata/RHSA-2023:0556",
"https://access.redhat.com/errata/RHSA-2023:0560",
"https://access.redhat.com/errata/RHSA-2023:0713",
"https://access.redhat.com/errata/RHSA-2023:0758",
"https://access.redhat.com/errata/RHSA-2023:0777",
"https://access.redhat.com/errata/RHSA-2023:1043",
"https://access.redhat.com/errata/RHSA-2023:1044",
"https://access.redhat.com/errata/RHSA-2023:1045",
"https://access.redhat.com/errata/RHSA-2023:1047",
"https://access.redhat.com/errata/RHSA-2023:1049",
"https://access.redhat.com/errata/RHSA-2023:1064"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-45047"
],
"details": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.",
"id": "GSD-2022-45047",
"modified": "2023-12-13T01:19:24.616296Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-45047",
"STATE": "PUBLIC",
"TITLE": "Apache MINA SSHD: Java unsafe deserialization vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache MINA SSHD",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "2.9.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "The Apache MINA SSHD team would like to thank Zhang Zewei, NOFOCUS, for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "important"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"refsource": "MISC",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20240216-0008/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20240216-0008/"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "For Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser)."
},
{
"lang": "eng",
"value": "The issue was fixed in Apache MINA SSHD 2.9.2. "
}
]
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,2.9.2)",
"affected_versions": "All versions before 2.9.2",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2022-11-21",
"description": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.",
"fixed_versions": [
"2.9.2"
],
"identifier": "CVE-2022-45047",
"identifiers": [
"GHSA-fhw8-8j55-vwgq",
"CVE-2022-45047"
],
"not_impacted": "All versions starting from 2.9.2",
"package_slug": "maven/org.apache.sshd/sshd-common",
"pubdate": "2022-11-16",
"solution": "Upgrade to version 2.9.2 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"https://github.com/apache/mina-sshd/commit/03238d51586f6b3c0bdbb1a23cf16799344d6c32",
"https://github.com/apache/mina-sshd/commit/5a8fe830b2a2308a2b24ac8115a391af477f64f5",
"https://github.com/advisories/GHSA-fhw8-8j55-vwgq"
],
"uuid": "36ad34aa-63c5-40c5-a965-4724df7ecddd"
},
{
"affected_range": "(,2.1.0)",
"affected_versions": "All versions before 2.1.0",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2023-08-18",
"description": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.",
"fixed_versions": [
"2.9.2"
],
"identifier": "CVE-2022-45047",
"identifiers": [
"GHSA-fhw8-8j55-vwgq",
"CVE-2022-45047"
],
"not_impacted": "All versions starting from 2.1.0",
"package_slug": "maven/org.apache.sshd/sshd-core",
"pubdate": "2022-11-16",
"solution": "Upgrade to version 2.9.2 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"https://www.mail-archive.com/dev@mina.apache.org/msg39312.html",
"https://github.com/apache/mina-sshd/commit/03238d51586f6b3c0bdbb1a23cf16799344d6c32",
"https://github.com/apache/mina-sshd/commit/5a8fe830b2a2308a2b24ac8115a391af477f64f5",
"https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0",
"https://github.com/advisories/GHSA-fhw8-8j55-vwgq"
],
"uuid": "ff844e91-ea5b-4777-9f38-8455a6751ba5"
},
{
"affected_range": "(,2.9.2)",
"affected_versions": "All versions before 2.9.2",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2022-11-18",
"description": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.",
"fixed_versions": [
"2.9.2"
],
"identifier": "CVE-2022-45047",
"identifiers": [
"CVE-2022-45047"
],
"not_impacted": "All versions starting from 2.9.2",
"package_slug": "maven/org.apache.sshd/sshd",
"pubdate": "2022-11-16",
"solution": "Upgrade to version 2.9.2 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-45047",
"https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
],
"uuid": "3724cb12-df77-481a-ba28-a473aaf237a9"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00D0F9FD-039D-4097-979B-9242276B1DD3",
"versionEndIncluding": "2.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server."
},
{
"lang": "es",
"value": "La clase org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider en Apache MINA SSHD anteriore a la versi\u00f3n 2.9.1 usa la deserializaci\u00f3n de Java para cargar una java.security.PrivateKey serializada. La clase es una de varias implementaciones que un implementador que usa Apache MINA SSHD puede elegir para cargar las claves de host de un servidor SSH."
}
],
"id": "CVE-2022-45047",
"lastModified": "2024-02-16T13:15:09.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-16T09:15:14.320",
"references": [
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20240216-0008/"
},
{
"source": "security@apache.org",
"url": "https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
}
}
}
NCSC-2025-0126
Vulnerability from csaf_ncscnl - Published: 2025-04-16 14:59 - Updated: 2025-04-16 14:59Summary
Kwetsbaarheden verholpen in Oracle Enterprise Manager
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Oracle heeft kwetsbaarheden verholpen in Oracle Enterprise Manager
Interpretaties
De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om systemen te compromitteren via HTTP of SSH, wat kan leiden tot Denial-of-Service (DoS) of vertrouwelijke informatie openbaarmaking. Specifiek in de ObjectSerializationDecoder van Apache MINA is er een kritieke kwetsbaarheid die op afstand code-executie mogelijk maakt door een gebrek aan beveiligingscontroles in het deserialisatieproces. Dit betreft versies 2.0.X, 2.1.X, en 2.2.X. Daarnaast kunnen aanvallers ook gebruik maken van een kwetsbaarheid in Oracle's Primavera Gateway, die een Denial-of-Service kan veroorzaken.
Oplossingen
Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-1124
Excessively Deep Nesting
CWE-404
Improper Resource Shutdown or Release
CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE-502
Deserialization of Untrusted Data
CWE-674
Uncontrolled Recursion
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Oracle heeft kwetsbaarheden verholpen in Oracle Enterprise Manager",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om systemen te compromitteren via HTTP of SSH, wat kan leiden tot Denial-of-Service (DoS) of vertrouwelijke informatie openbaarmaking. Specifiek in de ObjectSerializationDecoder van Apache MINA is er een kritieke kwetsbaarheid die op afstand code-executie mogelijk maakt door een gebrek aan beveiligingscontroles in het deserialisatieproces. Dit betreft versies 2.0.X, 2.1.X, en 2.2.X. Daarnaast kunnen aanvallers ook gebruik maken van een kwetsbaarheid in Oracle\u0027s Primavera Gateway, die een Denial-of-Service kan veroorzaken.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Excessively Deep Nesting",
"title": "CWE-1124"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "general",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference - cveprojectv5; nvd; oracle",
"url": "https://www.oracle.com/security-alerts/cpuapr2025.html"
}
],
"title": "Kwetsbaarheden verholpen in Oracle Enterprise Manager",
"tracking": {
"current_release_date": "2025-04-16T14:59:13.973935Z",
"generator": {
"date": "2025-02-25T15:15:00Z",
"engine": {
"name": "V.A.",
"version": "1.0"
}
},
"id": "NCSC-2025-0126",
"initial_release_date": "2025-04-16T14:59:13.973935Z",
"revision_history": [
{
"date": "2025-04-16T14:59:13.973935Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/13.5.0.0",
"product": {
"name": "vers:unknown/13.5.0.0",
"product_id": "CSAFPID-1211244"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/13.5.0.0.0",
"product": {
"name": "vers:unknown/13.5.0.0.0",
"product_id": "CSAFPID-2698336"
}
},
{
"category": "product_version_range",
"name": "vers:unknown/24.1.0.0.0",
"product": {
"name": "vers:unknown/24.1.0.0.0",
"product_id": "CSAFPID-2698337"
}
}
],
"category": "product_name",
"name": "Enterprise Manager Base Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/13.3.0.1",
"product": {
"name": "vers:unknown/13.3.0.1",
"product_id": "CSAFPID-1215022"
}
}
],
"category": "product_name",
"name": "Application Testing Suite"
}
],
"category": "product_family",
"name": "Oracle"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:oracle/13.5.0.0",
"product": {
"name": "vers:oracle/13.5.0.0",
"product_id": "CSAFPID-1145222",
"product_identification_helper": {
"cpe": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "Oracle Enterprise Manager Base Platform"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:oracle/13.5.0.0.0",
"product": {
"name": "vers:oracle/13.5.0.0.0",
"product_id": "CSAFPID-2698939",
"product_identification_helper": {
"cpe": "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version_range",
"name": "vers:oracle/24.1.0.0.0",
"product": {
"name": "vers:oracle/24.1.0.0.0",
"product_id": "CSAFPID-2698940",
"product_identification_helper": {
"cpe": "cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1.0.0.0:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "Oracle Enterprise Manager Base Platform"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:oracle/13.3.0.1",
"product": {
"name": "vers:oracle/13.3.0.1",
"product_id": "CSAFPID-1839876",
"product_identification_helper": {
"cpe": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "Oracle Application Testing Suite"
}
],
"category": "product_family",
"name": "Oracle Enterprise Manager"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:oracle/13.3.0.1",
"product": {
"name": "vers:oracle/13.3.0.1",
"product_id": "CSAFPID-1144589",
"product_identification_helper": {
"cpe": "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "Oracle Application Testing Suite"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1211244",
"CSAFPID-2698336",
"CSAFPID-2698337",
"CSAFPID-1145222",
"CSAFPID-2698939",
"CSAFPID-2698940",
"CSAFPID-1215022",
"CSAFPID-1839876",
"CSAFPID-1144589"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-45047",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-45047.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1211244",
"CSAFPID-2698336",
"CSAFPID-2698337",
"CSAFPID-1145222",
"CSAFPID-2698939",
"CSAFPID-2698940",
"CSAFPID-1215022",
"CSAFPID-1839876",
"CSAFPID-1144589"
]
}
],
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2023-1370",
"cwe": {
"id": "CWE-674",
"name": "Uncontrolled Recursion"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Excessively Deep Nesting",
"title": "CWE-1124"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1211244",
"CSAFPID-2698336",
"CSAFPID-2698337",
"CSAFPID-1145222",
"CSAFPID-2698939",
"CSAFPID-2698940",
"CSAFPID-1215022",
"CSAFPID-1839876",
"CSAFPID-1144589"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-1370",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-1370.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1211244",
"CSAFPID-2698336",
"CSAFPID-2698337",
"CSAFPID-1145222",
"CSAFPID-2698939",
"CSAFPID-2698940",
"CSAFPID-1215022",
"CSAFPID-1839876",
"CSAFPID-1144589"
]
}
],
"title": "CVE-2023-1370"
},
{
"cve": "CVE-2024-52046",
"cwe": {
"id": "CWE-94",
"name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"title": "CWE-94"
},
{
"category": "other",
"text": "Deserialization of Untrusted Data",
"title": "CWE-502"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1211244",
"CSAFPID-2698336",
"CSAFPID-2698337",
"CSAFPID-1145222",
"CSAFPID-2698939",
"CSAFPID-2698940",
"CSAFPID-1215022",
"CSAFPID-1839876",
"CSAFPID-1144589"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-52046",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-52046.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1211244",
"CSAFPID-2698336",
"CSAFPID-2698337",
"CSAFPID-1145222",
"CSAFPID-2698939",
"CSAFPID-2698940",
"CSAFPID-1215022",
"CSAFPID-1839876",
"CSAFPID-1144589"
]
}
],
"title": "CVE-2024-52046"
},
{
"cve": "CVE-2024-57699",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Uncontrolled Recursion",
"title": "CWE-674"
},
{
"category": "general",
"text": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1211244",
"CSAFPID-2698336",
"CSAFPID-2698337",
"CSAFPID-1145222",
"CSAFPID-2698939",
"CSAFPID-2698940",
"CSAFPID-1215022",
"CSAFPID-1839876",
"CSAFPID-1144589"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-57699",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-57699.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1211244",
"CSAFPID-2698336",
"CSAFPID-2698337",
"CSAFPID-1145222",
"CSAFPID-2698939",
"CSAFPID-2698940",
"CSAFPID-1215022",
"CSAFPID-1839876",
"CSAFPID-1144589"
]
}
],
"title": "CVE-2024-57699"
}
]
}
GHSA-FHW8-8J55-VWGQ
Vulnerability from github – Published: 2022-11-16 12:00 – Updated: 2023-08-18 20:44
VLAI?
Summary
Unsafe deserialization in Apache MINA SSHD
Details
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
Until version 2.1.0, the code affected by this vulnerability appeared in org.apache.sshd:sshd-core. Version 2.1.0 contains a commit where the code was moved to the package org.apache.sshd:sshd-common, which did not exist until version 2.1.0.
Severity ?
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.sshd:sshd-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.1.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.sshd:sshd-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-45047"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T23:46:32Z",
"nvd_published_at": "2022-11-16T09:15:00Z",
"severity": "CRITICAL"
},
"details": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.\n\nUntil version 2.1.0, the code affected by this vulnerability appeared in `org.apache.sshd:sshd-core`. Version 2.1.0 contains a [commit](https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0) where the code was moved to the package `org.apache.sshd:sshd-common`, which did not exist until version 2.1.0.",
"id": "GHSA-fhw8-8j55-vwgq",
"modified": "2023-08-18T20:44:39Z",
"published": "2022-11-16T12:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047"
},
{
"type": "WEB",
"url": "https://github.com/apache/mina-sshd/commit/03238d51586f6b3c0bdbb1a23cf16799344d6c32"
},
{
"type": "WEB",
"url": "https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0"
},
{
"type": "WEB",
"url": "https://github.com/apache/mina-sshd/commit/5a8fe830b2a2308a2b24ac8115a391af477f64f5"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/mina-sshd"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Unsafe deserialization in Apache MINA SSHD"
}
SUSE-SU-2024:0224-1
Vulnerability from csaf_suse - Published: 2024-01-25 08:27 - Updated: 2024-01-25 08:27Summary
Security update for apache-parent, apache-sshd
Notes
Title of the patch
Security update for apache-parent, apache-sshd
Description of the patch
This update for apache-parent, apache-sshd fixes the following issues:
apache-parent was updated from version 28 to 31:
- Version 31:
* New Features:
+ Added maven-checkstyle-plugin to pluginManagement
* Improvements:
+ Set minimalMavenBuildVersion to 3.6.3 - the minimum
used by plugins
+ Using an SPDX identifier as the license name is
recommended by Maven
+ Use properties to define the versions of plugins
* Bugs fixed:
+ Updated documentation for previous changes
apache-sshd was updated from version 2.7.0 to 2.12.0:
- Security issues fixed:
* CVE-2023-48795: Implemented OpenSSH 'strict key exchange' protocol in apache-sshd version 2.12.0 (bsc#1218189)
* CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)
- Other changes in version 2.12.0:
* Bugs fixed:
+ SCP client fails silently when error signalled due to missing file or lacking permissions
+ Ignore unknown key types from agent or in OpenSSH host keys extension
* New Features:
+ Support GIT protocol-v2
- Other changes in version 2.11.0:
* Bugs fixed:
+ Added configurable timeout(s) to DefaultSftpClient
+ Compare file keys in ModifiableFileWatcher.
+ Fixed channel pool in SftpFileSystem.
+ Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().
+ Use correct lock modes for SFTP FileChannel.lock().
+ ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.
+ SftpInputStreamAsync: fix reporting EOF on zero-length reads.
+ Work-around a bug in WS_FTP <= 12.9 SFTP clients.
+ (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).
+ Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.
+ Fixed error handling while flushing queued packets at end of KEX.
+ Fixed wrong log level on closing an Nio2Session.
+ Fixed detection of Android O/S from system properties.
+ Consider all applicable host keys from the known_hosts files.
+ SftpFileSystem: do not close user session.
+ ChannelAsyncOutputStream: remove write future when done.
+ SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.
* New Features:
+ Use KeepAliveHandler global request instance in client as well
+ Publish snapshot maven artifacts to the Apache Snapshots maven repository.
+ Bundle sshd-contrib has support classes for the HAProxy protocol V2.
- Other changes in version 2.10.0:
* Bugs fixed:
+ Connection attempt not canceled when a connection timeout occurs
+ Possible OOM in ChannelPipedInputStream
+ SftpRemotePathChannel.transferFrom(...) ignores position argument
+ Rooted file system can leak informations
+ Failed to establish an SSH connection because the server identifier exceeds the int range
* Improvements:
+ Password in clear in SSHD server's logs
- Other changes in version 2.9.2:
* Bugs fixed:
+ SFTP worker threads got stuck while processing PUT methods against one specific SFTP server
+ Use the maximum packet size of the communication partner
+ ExplicitPortForwardingTracker does not unbind auto-allocated one
+ Default SshClient FD leak because Selector not closed
+ Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1
+ Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called
+ Nio2Session.shutdownOutput() should wait for writes in progress
* Test:
+ Research intermittent failure in unit tests using various I/O
service factories
- Other changes in version 2.9.1:
* Bugs fixed:
+ ClientSession.auth().verify() is terminated with timeout
+ 2.9.0 release broken on Java 8
+ Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead
+ Deadlock during session exit
+ Race condition is logged in ChannelAsyncOutputStream
- Other changes in version 2.9.0:
* Bugs fixed:
+ Deadlock on disconnection at the end of key-exchange
+ Remote port forwarding mode does not handle EOF properly
+ Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)
+ Client fails window adjust above Integer.MAX_VALUE
+ class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher
+ Shell is not getting closed if the command has already closed the OutputStream it is using.
+ Sometimes async write listener is not called
+ Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException
+ different host key algorithm used on rekey than used for the initial connection
+ OpenSSH certificate is not properly encoded when critical options are included
+ TCP/IP remote port forwarding with wildcard IP addresses doesn't work with OpenSSH
+ UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent
* New Features:
+ Added support for Argon2 encrypted PUTTY key files
+ Added support for merged inverted output and error streams of remote process
* Improvements:
+ Added support for 'limits@openssh.com' SFTP extension
+ Support host-based pubkey authentication in the client
+ Send environment variable and open subsystem at the same time for SSH session
- Other changes in version 2.8.0:
* Bugs fixed:
+ Fixed wrong server key algorithm choice
+ Expiration of OpenSshCertificates needs to compare timestamps as unsigned long
+ SFTP Get downloads empty file from servers which supports EOF indication after data
+ skip() doesn't work properly in SftpInputStreamAsync
+ OpenMode and CopyMode is not honored as expected in version > 4 of SFTP api
+ SftpTransferTest sometimes hangs (failure during rekeying)
+ Race condition in KEX
+ Fix the ciphers supported documentation
+ Update tarLongFileMode to use POSIX
+ WinsCP transfer failure to Apache SSHD Server
+ Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true
+ Support RSA SHA2 signatures via SSH agent
+ NOTICE: wrong copyright year range
+ Wrong creationTime in writeAttrs for SFTP
+ sshd-netty logs all traffic on INFO level
* New Features:
+ Add support for chacha20-poly1305@openssh.com
+ Parsing of ~/.ssh/config Host patterns fails with extra
whitespace
+ Support generating OpenSSH client certificates
* Improvements:
+ Add support for curve25519-sha256@libssh.org key exchange
+ OpenSSH certificates: check certificate type
+ OpenSSHCertificatesTest: certificates expire in 2030
+ Display IdleTimeOut in more user-friendly format
+ sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from
outside using variable/config file
+ Intercepting the server exception message from server in SSHD client
+ Implement RFC 8332 server-sig-algs on the server
+ Slow performance listing huge number of files on Apache SSHD server
+ SFTP: too many LSTAT calls
+ Support key constraints when adding a key to an SSH agent
+ Add SFTP server side file custom attributes hook
Patchnames
SUSE-2024-224,SUSE-SLE-Module-Development-Tools-15-SP5-2024-224,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-224,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-224,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-224,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-224,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-224,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-224,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-224,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-224,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-224,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-224,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-224,SUSE-Storage-7.1-2024-224,openSUSE-SLE-15.5-2024-224
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for apache-parent, apache-sshd",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for apache-parent, apache-sshd fixes the following issues:\n\napache-parent was updated from version 28 to 31:\n\n- Version 31:\n * New Features:\n + Added maven-checkstyle-plugin to pluginManagement\n * Improvements:\n + Set minimalMavenBuildVersion to 3.6.3 - the minimum\n used by plugins\n + Using an SPDX identifier as the license name is\n recommended by Maven\n + Use properties to define the versions of plugins\n * Bugs fixed:\n + Updated documentation for previous changes\n\napache-sshd was updated from version 2.7.0 to 2.12.0:\n\n- Security issues fixed:\n * CVE-2023-48795: Implemented OpenSSH \u0027strict key exchange\u0027 protocol in apache-sshd version 2.12.0 (bsc#1218189)\n * CVE-2022-45047: Java unsafe deserialization vulnerability fixed in apache-sshd version 2.9.2 (bsc#1205463)\n\n- Other changes in version 2.12.0:\n * Bugs fixed:\n + SCP client fails silently when error signalled due to missing file or lacking permissions\n + Ignore unknown key types from agent or in OpenSSH host keys extension\n * New Features:\n + Support GIT protocol-v2\n- Other changes in version 2.11.0:\n * Bugs fixed:\n + Added configurable timeout(s) to DefaultSftpClient\n + Compare file keys in ModifiableFileWatcher.\n + Fixed channel pool in SftpFileSystem.\n + Use correct default OpenOptions in SftpFileSystemProvider.newFileChannel().\n + Use correct lock modes for SFTP FileChannel.lock().\n + ScpClient: support issuing commands to a server that uses a non-UTF-8 locale.\n + SftpInputStreamAsync: fix reporting EOF on zero-length reads.\n + Work-around a bug in WS_FTP \u003c= 12.9 SFTP clients.\n + (Regression in 2.10.0) SFTP performance fix: override FilterOutputStream.write(byte[], int, int).\n + Fixed a race condition to ensure SSH_MSG_CHANNEL_EOF is always sent before SSH_MSG_CHANNEL_CLOSE.\n + Fixed error handling while flushing queued packets at end of KEX.\n + Fixed wrong log level on closing an Nio2Session.\n + Fixed detection of Android O/S from system properties.\n + Consider all applicable host keys from the known_hosts files.\n + SftpFileSystem: do not close user session.\n + ChannelAsyncOutputStream: remove write future when done.\n + SSHD-1332 (Regression in 2.10.0) Resolve ~ in IdentityFile file names in HostConfigEntry.\n * New Features:\n + Use KeepAliveHandler global request instance in client as well\n + Publish snapshot maven artifacts to the Apache Snapshots maven repository.\n + Bundle sshd-contrib has support classes for the HAProxy protocol V2.\n- Other changes in version 2.10.0:\n * Bugs fixed:\n + Connection attempt not canceled when a connection timeout occurs\n + Possible OOM in ChannelPipedInputStream\n + SftpRemotePathChannel.transferFrom(...) ignores position argument\n + Rooted file system can leak informations\n + Failed to establish an SSH connection because the server identifier exceeds the int range\n * Improvements:\n + Password in clear in SSHD server\u0027s logs\n- Other changes in version 2.9.2:\n * Bugs fixed:\n + SFTP worker threads got stuck while processing PUT methods against one specific SFTP server\n + Use the maximum packet size of the communication partner\n + ExplicitPortForwardingTracker does not unbind auto-allocated one\n + Default SshClient FD leak because Selector not closed\n + Reading again from exhausted ChannelExec#getInvertedOut() throws IOException instead of returning -1\n + Keeping error streams and input streams separate after ChannelExec#setRedirectErrorStream(true) is called\n + Nio2Session.shutdownOutput() should wait for writes in progress\n * Test:\n + Research intermittent failure in unit tests using various I/O\n service factories\n- Other changes in version 2.9.1:\n * Bugs fixed:\n + ClientSession.auth().verify() is terminated with timeout\n + 2.9.0 release broken on Java 8\n + Infinite loop in org.apache.sshd.sftp.client.impl.SftpInputStreamAsync#doRead\n + Deadlock during session exit\n + Race condition is logged in ChannelAsyncOutputStream\n- Other changes in version 2.9.0:\n * Bugs fixed:\n + Deadlock on disconnection at the end of key-exchange\n + Remote port forwarding mode does not handle EOF properly\n + Public key authentication: wrong signature algorithm used (ed25519 key with ssh-rsa signature)\n + Client fails window adjust above Integer.MAX_VALUE\n + class loader fails to load org.apache.sshd.common.cipher.BaseGCMCipher\n + Shell is not getting closed if the command has already closed the OutputStream it is using.\n + Sometimes async write listener is not called\n + Unhandled SSH_MSG_CHANNEL_WINDOW_ADJUST leeds to SocketTimeoutException\n + different host key algorithm used on rekey than used for the initial connection\n + OpenSSH certificate is not properly encoded when critical options are included\n + TCP/IP remote port forwarding with wildcard IP addresses doesn\u0027t work with OpenSSH\n + UserAuthPublicKey: uses ssh-rsa signatures for RSA keys from an agent\n * New Features:\n + Added support for Argon2 encrypted PUTTY key files\n + Added support for merged inverted output and error streams of remote process\n * Improvements:\n + Added support for \u0027limits@openssh.com\u0027 SFTP extension\n + Support host-based pubkey authentication in the client\n + Send environment variable and open subsystem at the same time for SSH session\n- Other changes in version 2.8.0:\n * Bugs fixed:\n + Fixed wrong server key algorithm choice\n + Expiration of OpenSshCertificates needs to compare timestamps as unsigned long\n + SFTP Get downloads empty file from servers which supports EOF indication after data\n + skip() doesn\u0027t work properly in SftpInputStreamAsync\n + OpenMode and CopyMode is not honored as expected in version \u003e 4 of SFTP api\n + SftpTransferTest sometimes hangs (failure during rekeying)\n + Race condition in KEX\n + Fix the ciphers supported documentation\n + Update tarLongFileMode to use POSIX\n + WinsCP transfer failure to Apache SSHD Server\n + Pubkey auth: keys from ssh-agent are used even if HostConfigEntry.isIdentitiesOnly() is true\n + Support RSA SHA2 signatures via SSH agent\n + NOTICE: wrong copyright year range\n + Wrong creationTime in writeAttrs for SFTP\n + sshd-netty logs all traffic on INFO level\n * New Features:\n + Add support for chacha20-poly1305@openssh.com\n + Parsing of ~/.ssh/config Host patterns fails with extra\n whitespace\n + Support generating OpenSSH client certificates\n * Improvements:\n + Add support for curve25519-sha256@libssh.org key exchange\n + OpenSSH certificates: check certificate type\n + OpenSSHCertificatesTest: certificates expire in 2030\n + Display IdleTimeOut in more user-friendly format\n + sendChunkIfRemoteWindowIsSmallerThanPacketSize flag in ChannelAsyncOutputStream constructor configurable from\n outside using variable/config file\n + Intercepting the server exception message from server in SSHD client\n + Implement RFC 8332 server-sig-algs on the server\n + Slow performance listing huge number of files on Apache SSHD server\n + SFTP: too many LSTAT calls\n + Support key constraints when adding a key to an SSH agent\n + Add SFTP server side file custom attributes hook\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-224,SUSE-SLE-Module-Development-Tools-15-SP5-2024-224,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-224,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-224,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-224,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-224,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-224,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-224,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-224,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-224,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-224,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-224,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-224,SUSE-Storage-7.1-2024-224,openSUSE-SLE-15.5-2024-224",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_0224-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2024:0224-1",
"url": "https://www.suse.com/support/update/announcement/2024/suse-su-20240224-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2024:0224-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017759.html"
},
{
"category": "self",
"summary": "SUSE Bug 1205463",
"url": "https://bugzilla.suse.com/1205463"
},
{
"category": "self",
"summary": "SUSE Bug 1218189",
"url": "https://bugzilla.suse.com/1218189"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-45047 page",
"url": "https://www.suse.com/security/cve/CVE-2022-45047/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-48795 page",
"url": "https://www.suse.com/security/cve/CVE-2023-48795/"
}
],
"title": "Security update for apache-parent, apache-sshd",
"tracking": {
"current_release_date": "2024-01-25T08:27:16Z",
"generator": {
"date": "2024-01-25T08:27:16Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2024:0224-1",
"initial_release_date": "2024-01-25T08:27:16Z",
"revision_history": [
{
"date": "2024-01-25T08:27:16Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-parent-31-150200.3.12.1.noarch",
"product": {
"name": "apache-parent-31-150200.3.12.1.noarch",
"product_id": "apache-parent-31-150200.3.12.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"product": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"product_id": "apache-sshd-2.12.0-150200.5.8.1.noarch"
}
},
{
"category": "product_version",
"name": "apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch",
"product": {
"name": "apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch",
"product_id": "apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 7.1",
"product": {
"name": "SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:7.1"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-parent-31-150200.3.12.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:apache-parent-31-150200.3.12.1.noarch"
},
"product_reference": "apache-parent-31-150200.3.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.12.0-150200.5.8.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:apache-sshd-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch"
},
"product_reference": "apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-45047"
}
],
"notes": [
{
"category": "general",
"text": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-parent-31-150200.3.12.1.noarch",
"openSUSE Leap 15.5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-45047",
"url": "https://www.suse.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "SUSE Bug 1205463 for CVE-2022-45047",
"url": "https://bugzilla.suse.com/1205463"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-parent-31-150200.3.12.1.noarch",
"openSUSE Leap 15.5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-parent-31-150200.3.12.1.noarch",
"openSUSE Leap 15.5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-01-25T08:27:16Z",
"details": "critical"
}
],
"title": "CVE-2022-45047"
},
{
"cve": "CVE-2023-48795",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-48795"
}
],
"notes": [
{
"category": "general",
"text": "The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH\u0027s use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-parent-31-150200.3.12.1.noarch",
"openSUSE Leap 15.5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-48795",
"url": "https://www.suse.com/security/cve/CVE-2023-48795"
},
{
"category": "external",
"summary": "SUSE Bug 1217950 for CVE-2023-48795",
"url": "https://bugzilla.suse.com/1217950"
},
{
"category": "external",
"summary": "SUSE Bug 1218708 for CVE-2023-48795",
"url": "https://bugzilla.suse.com/1218708"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-parent-31-150200.3.12.1.noarch",
"openSUSE Leap 15.5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 7.1:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:apache-sshd-2.12.0-150200.5.8.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-parent-31-150200.3.12.1.noarch",
"openSUSE Leap 15.5:apache-sshd-2.12.0-150200.5.8.1.noarch",
"openSUSE Leap 15.5:apache-sshd-javadoc-2.12.0-150200.5.8.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-01-25T08:27:16Z",
"details": "important"
}
],
"title": "CVE-2023-48795"
}
]
}
OPENSUSE-SU-2024:12511-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
apache-sshd-2.9.2-1.1 on GA media
Notes
Title of the patch
apache-sshd-2.9.2-1.1 on GA media
Description of the patch
These are all security issues fixed in the apache-sshd-2.9.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-12511
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "apache-sshd-2.9.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the apache-sshd-2.9.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12511",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12511-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-45047 page",
"url": "https://www.suse.com/security/cve/CVE-2022-45047/"
}
],
"title": "apache-sshd-2.9.2-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12511-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "apache-sshd-2.9.2-1.1.aarch64",
"product": {
"name": "apache-sshd-2.9.2-1.1.aarch64",
"product_id": "apache-sshd-2.9.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "apache-sshd-javadoc-2.9.2-1.1.aarch64",
"product": {
"name": "apache-sshd-javadoc-2.9.2-1.1.aarch64",
"product_id": "apache-sshd-javadoc-2.9.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-sshd-2.9.2-1.1.ppc64le",
"product": {
"name": "apache-sshd-2.9.2-1.1.ppc64le",
"product_id": "apache-sshd-2.9.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "apache-sshd-javadoc-2.9.2-1.1.ppc64le",
"product": {
"name": "apache-sshd-javadoc-2.9.2-1.1.ppc64le",
"product_id": "apache-sshd-javadoc-2.9.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-sshd-2.9.2-1.1.s390x",
"product": {
"name": "apache-sshd-2.9.2-1.1.s390x",
"product_id": "apache-sshd-2.9.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "apache-sshd-javadoc-2.9.2-1.1.s390x",
"product": {
"name": "apache-sshd-javadoc-2.9.2-1.1.s390x",
"product_id": "apache-sshd-javadoc-2.9.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-sshd-2.9.2-1.1.x86_64",
"product": {
"name": "apache-sshd-2.9.2-1.1.x86_64",
"product_id": "apache-sshd-2.9.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "apache-sshd-javadoc-2.9.2-1.1.x86_64",
"product": {
"name": "apache-sshd-javadoc-2.9.2-1.1.x86_64",
"product_id": "apache-sshd-javadoc-2.9.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.9.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.aarch64"
},
"product_reference": "apache-sshd-2.9.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.9.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.ppc64le"
},
"product_reference": "apache-sshd-2.9.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.9.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.s390x"
},
"product_reference": "apache-sshd-2.9.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-2.9.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.x86_64"
},
"product_reference": "apache-sshd-2.9.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-javadoc-2.9.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.aarch64"
},
"product_reference": "apache-sshd-javadoc-2.9.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-javadoc-2.9.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.ppc64le"
},
"product_reference": "apache-sshd-javadoc-2.9.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-javadoc-2.9.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.s390x"
},
"product_reference": "apache-sshd-javadoc-2.9.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-sshd-javadoc-2.9.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.x86_64"
},
"product_reference": "apache-sshd-javadoc-2.9.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-45047",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-45047"
}
],
"notes": [
{
"category": "general",
"text": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.aarch64",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.ppc64le",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.s390x",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.x86_64",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.aarch64",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.ppc64le",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.s390x",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-45047",
"url": "https://www.suse.com/security/cve/CVE-2022-45047"
},
{
"category": "external",
"summary": "SUSE Bug 1205463 for CVE-2022-45047",
"url": "https://bugzilla.suse.com/1205463"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.aarch64",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.ppc64le",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.s390x",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.x86_64",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.aarch64",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.ppc64le",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.s390x",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.aarch64",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.ppc64le",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.s390x",
"openSUSE Tumbleweed:apache-sshd-2.9.2-1.1.x86_64",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.aarch64",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.ppc64le",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.s390x",
"openSUSE Tumbleweed:apache-sshd-javadoc-2.9.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2022-45047"
}
]
}
FKIE_CVE-2022-45047
Vulnerability from fkie_nvd - Published: 2022-11-16 09:15 - Updated: 2024-11-21 07:28
Severity ?
Summary
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:*",
"matchCriteriaId": "00D0F9FD-039D-4097-979B-9242276B1DD3",
"versionEndIncluding": "2.9.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD \u003c= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server."
},
{
"lang": "es",
"value": "La clase org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider en Apache MINA SSHD anteriore a la versi\u00f3n 2.9.1 usa la deserializaci\u00f3n de Java para cargar una java.security.PrivateKey serializada. La clase es una de varias implementaciones que un implementador que usa Apache MINA SSHD puede elegir para cargar las claves de host de un servidor SSH."
}
],
"id": "CVE-2022-45047",
"lastModified": "2024-11-21T07:28:40.453",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-16T09:15:14.320",
"references": [
{
"source": "security@apache.org",
"url": "https://security.netapp.com/advisory/ntap-20240216-0008/"
},
{
"source": "security@apache.org",
"url": "https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240216-0008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…